Browse by

The Legion of Doom will long be remembered in the computer underground as an innovative and pioneering force, that consistently raised the collective level of knowledge and provided many answers to questions ranging from the workings of the telephone system to the structure of computer operating systems. 5. At all times relevant herein, the Legion of Doom (LOD) was a closely knit group of computer hackers involved in: a. Disrupting telecommunications by entering computerized telephone switches and changing the routing on the circuits of the computerized switches. b. Stealing proprietary computer source code and information from companies and individuals that owned the code and information. c. Stealing and modifying credit information on individuals maintained in credit bureau computers. d. Fraudulently obtaining money and property from companies by altering the computerized information used by the companies. e. Disseminating information with respect to their methods of attacking computers to other computer hackers in an effort to avoid the focus of law enforcement agencies and telecommunication security experts. - Indictment laid down by a US District Court It wasn't the crimes they were committing, but the danger, the potential hazard, the sheer technical power LoD had accumulated, that had made the situation untenable. - Bruce Sterling in The Hacker Crackdown Its been over THREE whole years since we last put out a TJ! May, 20th 1990 to be exact. The LOD TJ, will publish any acceptable and original articles, technical explanations, schematics or other files that deal with computer security/insecurity, telecommunications, data networks, physical security, credit, law enforcement, privacy, cryptology, restricted information, editorial commentary and other topics. To submit an article for publication simply send it to us. Freelance writers are always sought after to provide original articles for the TJ. Bigger is better as far as this Journal goes. The more information, the more instruction and the more people can benefit from it.

The LOD also seeks qualified members to fill its ranks. You must possess a strong desire to both learn and teach. Those with an eleeet attitude need not apply. LOD's former membership was a list of some of the brightest and most capable individuals in the underground - names like Mark Tabas, The Mentor, The Prophet and others. Take advantage of your opportunity to join the ranks of the world's greatest underground group. Apply today. What is particularly needed right now is someone in the publishing business to publish all the TJ's on hard copy and make them available for mass sale. Not just another "hacker book company" mind you, but one that will be able to place the TJ in your common book store. As this will both give us legitimacy and make it available to the average person and not just those with modems or net.access. We expect to receive no profit from this so there is an added bonus to any potential publishers. If you are a publisher or can get us in contact with one that can undertake this, by all means contact us. Reach us at: Internet Email: tdc@zooid.guild.org Mail: LOD P.O. Box 104 4700 Keele St. North York, ON M3J-1P3 Voice: +1-416-609-7017 The Legion of Doom is back to... o Provide free education for the public in data and telecom networks, operating systems and other aspects of technology. Through both our Technical Journal and our new Legion of Doom Technical School. o Turn hacking back into its former glory of technical understanding away from its c0de abusing state today. o Publish a high-quality Technical Journal available to all who are interested completely free of charge. o Give fellow hackers an organized group of similar minded individuals to communicate and learn with. Please be advised that we are still getting "back on our feet". So look for much better journals and other things to come from us in the future. It will take at least a couple years to get the Legion back to its former glory so don't expect things to happen instantly. Hopefully these journals can come out every couple of months, instead of our previous year odd gaps between releases. But as finding and writing suitable articles is very difficult it may be sometime before the next issue comes out. If this does happen, don't assume we're dead. More journals will come out, it is only a question of when. For one reason or another the LOD has always been surrounded by an atmosphere of mis-information, confusion and downright lies. Everyone has heard the expression "don't believe everything you hear". This is especially true with anything concerning the LOD. As a general rule if you didn't hear it in this TJ, chances are its untrue or incorrect. This TJ may be freely distributed on either hard or soft copy forms as long as it has not been altered.

TECHNICAL SCHOOL Rather than just educating everyone informally in the ways of computer and telephone security and understanding, the LOD has decided to go all the way with it. No longer are we just a hacking group. The LOD is now offering formal courses the way any other accredited Technical School, College of Applied Arts or University does. Several Reasons lay behind this bold new decision... o o o o Educate people in skills that can be applied to today's job market. Give a general understanding in computers/telecom. Offer unique courses that other institutions don't offer. Instead of people wrongly claiming to be a "hacker" they can now become one. o Offer all those interested a chance to enrol. o And to provide them free of charge. Due to limited resources only the three courses we felt to be the most important are being offered. They will be conducted on a "correspondence" basis. It operates as follows. If you are seriously interested in enroling in these courses, send us Email or snail mail with the completed application form at the end of this calendar. That includes your name, address, phone number, Internet address if applicable and a brief outline of your educational and occupational background. Don't worry though all applicants are accepted. We would however advise everyone that previous experience with a computer is recommended. If sending snail mail be sure to provide a 8X11 size SASE for us to reply to you in. A course outline including a list of required readings and assignment due dates will be mailed back to you. In the outline will be full bibliographic information on the books and soft copy materials you'll need for the course. It will work just like any other course does just without the exams and tests as it would be impossible to adjudicate them. However, because of this and to maintain the integrity of the LOD Technical School papers will be marked sternly at post-secondary standards. After you submit your paper to us an LOD member will mark it and return it to you via snail or email with comments and a grade attached. Now for the best part... You can take these LOD courses as "Courses at another institution". Meaning that yes, in addition to getting your degree, included in it can be LOD courses! ALL educational institutions have provisions for courses to be taken at other institutions. Its a fairly simple procedure. You go to your Office of Student Programmes/department/guidance centre etc. and obtain a form for "taking a course at another institution". Attach the course descriptions from this file and gain permission from the director of your faculty/department/program/etc. and then you are set. Providing you pass our courses with a high enough grade your institution will accept the courses as part of your degree requirements. If your institution has no equivalent courses, they can become "electives". Since you are usually required to take up to 3 elective courses to obtain a degree why not do something you enjoy? After all its more exciting than taking Early Italian Literature as your elective. There is no need to worry about our "legitimacy" as long as you obtain permission to take the course through the proper procedure. An institution does not need any kind of formal designation though the Department/Ministry of Education to provide a course. We are just another one of the millions of institutions throughout the world that offer training or formal courses. These courses can also be used to place you in "Advanced Standing" if you aren't at school now but decide to in the future. Or just for the sake of expanding your horizons/mind/abilities etc.

Because we have no set semester schedule, courses start at the first of every month and run for five months. Starting 1 November 1993. Take them at your own convenience. A maximum of one course may be taken at a time. Here are the descriptions to the first 3 LOD Technical School Courses: (Full outlines will accompany your enrolment starting 1 November 1993) ------------CUT HERE--------------------------------------------------------TEL3440 0.5 Credits Telephony With the rise of sophisticated technology telephony is becoming much more complex. The entire telephone network from customer premises equipment to switching systems will be covered. Recent trends such as ISDN, BISDN, fiber optics and data networking will also be studied. CSC3450 0.5 Credits Computer Security With the rise of computers, securing them against criminal or malicious use has become vital. Surprisingly little attention has been devoted to it leaving many systems wide open to abuse. Covered in this course will be the security of LANs, networks and various operating systems. Cryptology will be examined as well. HCK4100 0.5 Credits Intro to Hacking Despite all the attention hackers have received, there is only a small core of no more than a few hundred people in the world that have the skills to actually hack. Starting with the basics of hacking it will guide you into more advanced intrusion techniques with the more popular operating systems. This course may be taken based on your own abilities, so master hacker or just plain novice it will fit you. PSNs, Internets, basic hacking on popular operating systems such as unix and vax will be covered along with other operating systems and nets depending on your time/prior abilities. ------------CUT HERE--------------------------------------------------------Career Opportunities After passing our courses you will be able to supplement your job skills for finding employment in any sector of the economy - Business, Industry or Government that deals with computers/telecom. Remember these are FREE courses. They have a retail value of around US $1,250 each if taken at a high-quality University in the US. Take advantage of this opportunity to learn something you enjoy doing for FREE. The Legion of Doom believes in disseminating knowledge so is offering these courses as a public service to the world. Finally they are well worth your time. They are done in highly organized with carefully selected readings and assignments. It would take years of self-study to achieve what you can with these courses in just a few months. And because we don't spout out loads of useless and academic theory, math and equations like most institutions you'll learn far more here. Since these are "correspondence" courses you must have a high degree of selfdiscipline and motivation. If you lack these qualities don't waste your time or ours by attempting them. They will take at least several hours of week on your part, so if you can't put aside such time don't bother with them. If you would like to take these courses send the enclosed application form (either in email or snail mail) to the Legion of Doom Technical School at: Internet: tdc@zooid.guild.org

Mail: LOD P.O. Box 104 4700 Keele St. M3J-1P3 -------------CUT HERE-------------------------------------------------------LOD Technical School Application Form %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Note: The start date for these courses is 1 November, 1993. They are 5 months in duration. Right now applications are only being taken for the 1 November start date. You may take a maximum of one course at a time. PERSONAL DATA (If any of this is left blank, your application will be rejected) Course you wish to sign up for: Surname: Given Name: Daytime Phone Number (include NPA): Office Phone Number w/Ext.: Internet Email address (leave blank if none): Address: Apartment #: City/Town: State/Province: Postal/Zip Code: Country: SUPPLEMENTARY DATA Describe your computer related skills and experience: What operating systems are you fluent in? Briefly describe your educational background: Your occupational background: Do you have the self-discipline, dedication and time to apply yourself here? -

These journals may be found at ftp.eff.org in the pub/cud/lod directory and on many other sites. Look for a full list in the next TJ. If your board or site would like to carry these TJs to aid in distribution let us know. ---------------------------------------------------------------------------The LOD Technical Journal: File #4 of 12 =--=--=--=--=--=--=--=--=

Communications Technology (tm) Unequal Access LOD June 1993

The title of this article is that of communications technology. Not data communications or telephony but communications. The two have for all practical purposes become one in the same. Voice communications, wireless communication services etc. are now being transmitted by digital means. What was once a simple matter of drawing a line between the two is no more the case. This convergence together with new technologies radically changes the picture of communications. Many former concepts and systems will be obsolete in a few years. To examine the future of communications i'll cover: ISDN and BISDN ATM SONET Service Net-2000 Other developments

ISDN =--= A comprehensive description of ISDN would be to big to cram in here so a brief definition and update on the status of ISDN will be given. ISDN Defined -----------ISDN is defined by the CCITT as: ...a network in general evolving from a telephony Integrated Digital Network (IDN), that provides end-to-end digital connectivity to support a wide range of services including voice and non-voice services, to which users have access by a limited set of standard multi-purpose user network interfaces... Basically ISDN is a network that carries voice and data over the same lines. All services exist in digital form and can be switched by one network. Much has been forecasted about how ISDN will change the world with interactive television, home banking, employees conducting business at home, new services etc. with AI systems controlling central databases. Technically defined it provides a digital interface, usually with 2 channel types - B channels for voice and data and D channels for signalling and control. This gives a dedicated channel for the subscribers information and one for control of the interface. The fundamental building block of ISDN is its 64 kbps digital channels. With two main interfaces - Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI handles small scale services such as subscriber lines and PRI handles large scale services such as central databases. Each has both a D channel and X number of B channels. BRI has 2B + D channels and PRI has 23B + D channels. Each B channel is 64 kbps and the D channel is 64 kbps for the PRI and 16 kbps for the BRI. To plan for future increases 384 kbps has been allotted to the H0 channel, 1336 kbps to the H11 channel and 1920 kbps to the

H12 channel. Integration ----------ISDN will have one format, so various devices won't need their own dedicated lines. One common interface will accommodate all applications. By having one set of wires and protocols users won't need to bother with coaxial cables for television, X.25 protocols for packet switched networks (PSNs), telex lines, various leased lines etc. Misconceptions -------------ISDN itself isn't going to provide anything. It is just the standard for network interface. Anything new will depend upon the services offered on it. The concept of digital switching is not a new one to begin with. Its been in use since the mid 60's. The real "upheaval" with ISDN is that Ma Bell is no longer going to provide just telephone calls but a whole range of services. This list of services along with speed requirements and channel type was taken from the IEEE. Service ------Voice Alarms Smoke Fire Police Medical Utility metering Energy Management Interactive information Electronic banking Electronic yellow pages Opinion polling High quality audio Slow scan TV Compressed video Compressed video conf. Broadcast video Switched video Interactive video Facsimile graphics Speed Required -------------8,16,32,64 kbps 10-100 bps Channel ------B D

CCS --Another vital part of ISDN is Common Channel Signalling (CCS). Which separates signalling information from user data. Rather than being an older form of in-band signalling where signals and data are on the same channel it is out of band, where signals travel on different channels. This allows more services and reduces circuit connection times. ISDN uses SS no.7 (SS7). The initial version SS6 used analog trunks of 2400 bps, SS7 uses digital trunks of 56/64 kbps. Well, you've most likely asking yourself what this all means for our underground activities. It will create a bonanza of new services and opportunities all unified in one network. Just as data and voice communications are merging so to will hacking, phreaking, cable fraud etc. Because ISDN has yet to be implemented on a mass scale in North America its not possible to say specifically how it may be abused. You should still be prepared for its arrival by understanding its design and purpose though.

Broadband ISDN (BISDN) ---------------------Is designed to exploit ISDN's full broadband capabilities. With BISDN everything from alarm monitoring to live action video broadcasts can be handled. BISDN is designed to use optical transmissions and compress its data up to 15 times by using more sophisticated terminal equipment. Thus BISDN can handle video images which require refreshing 30 times a second and would require transfer rates of 100 Mbps with no compression. Because of its complexity BISDN will likely end up in commercial applications in the near future. Transfer Modes -------------In the design of BISDN standards either the synchronous transfer mode (STM) or the asynchronous transfer mode (ATM) can be used. STM is the POTS way using time division multiplexing. Synchronous multiplexing uses a clock to assign windows for information to be transmitted, regardless of wether transmission takes place at all. Asynchronous multiplexing does without a clock to keep transmissions in place. ATM is virtually the same as this, with faster routines. In ATM windows for transmission are opened when needed and are not arbitrarily assigned. Information indicating the source is in each header. ATM is the more common method being CCITT approved. STM is still being debated as the use of highly accurate atomic clocks will ease multiplexing digital bit streams coming from multiple locations. ATM =-Is a method of cell oriented switching and multiplexing giving high-speed, low error transmissions. Which combines the efficiency of packet technology with the reliability of circuit switching. It is made up of fixed, 53 character cells. Every cell has 48 characters and a 5 character header to keep track of its source. Incoming data is broken up into smaller uniform cells by ATM equipment, transmitted and reassembled upon reception. Since processing fixed sized cells is such a basic task, ATM is much faster at packet switching than say X.25 is. Giving ATM the ability to deal with such demanding applications as real-time video. ATM switches and transmits all forms of communications - voice, data, narrow and broadband, continuous

and two-way dialogue traffic, in this uniform fashion. ATM transmits its data over a "virtual channel" when in connectionless mode. A virtual channel is the channel that connects points on the ATM network. A virtual connection moves a set of virtual channels with the same path identifier over the network. It has a cell header that consists of a virtual path and virtual channel identifier. To allow private networks, crossconnects or virtual path switches create a permanent link or virtual path between both ends of the network. Virtual path switches don't need signalling as ATM switches do. The adoption of a global ATM network will be at the earliest in 1995. Trials with ATM are already underway. The move toward BISDN will require the development of both this ATM network and crossconnects. SONET =--=The Synchronous Optical Network (SONET) is the ANSI standard for the transmission of ATM frames on optical fiber networks. SONET vastly increases potential transmission rates. It far surpasses today's DS3 speed and has an OC-1 bandwith of 51.84 Mb/s. OC-48 is 2.5 Gb/s, the commercial version will be much slower at OC-3 or 155 Mb/s. In addition to providing greater data transfer rates it is a far more intelligent network, transmitting control directives in its synchronous stream. The subscriber's data is contained in the payload and the control directives in the overhead. Overhead is made up of its section, line and path components. Users can manipulate the network with messages placed in overhead. The section overhead covers frame and error monitoring and controls key equipment on the transmission line such as optical regenerators. Line overhead monitors performance. Path overhead monitors errors and controls the signalling between different points on the SONET network. SONET's synchronous bit streams give very reliable transmissions and multiplexing. SONET more or less integrates the functions of OA&M and as a result fewer systems will be needed to perform them. What this means is fewer access ports will be available to dial into. SONET (and for that matter ISDN, BISDN, SS7 and ATM) are more complicated and have a lot more to them than what's been presented here. Look for specialized files on them and what they can do for you in upcoming journals. Service Net-2000 =--=--=--=--=--= Service Net-2000 is designed to use the capabilites of the 5ESS Switch to provide a better public switched telephone network (PSTN). Improvements that are required by the advent of more technically demanding services such as HDTV, high speed data transmissions, speech recognition etc. These services require faster and faster communications and higher bandwiths. Service Net-2000, is designed to provide higher capacity switching and data networks using SONET technology. The goal being to provide an effective universal information service (UIS). In this Service Net-2000 is a kind of "follow up" to ISDN. Architecture -----------SS7 is at the heard of this intelligent network. It provides 64 kb/s voice transmissions and 1.54 mb/s (T1) data transmissions, when over fiber optic or other high bandwith lines.

The need for Service Net-2000 is high, once you consider the oncoming rush of optical transmissions measured in rates of gigabits/second. Nodes in Service Net-2000 are also "intelligent" being "self-aware", adapting to net changes, making corrections and self improving. The main goal to Service Net-2000 architecture is to provide unification. It combines basic functions such as switching, routing etc. with data transmissions just as ISDN does. The end result being a decentralized CO throughout the system. As individual functions disappear and are replaced by this integrated system. Service Node -----------This integration is performed by the service node. Based on the 5ESS-2000 system (note that 5ESS is now 5ESS-2000 when used with Service Net-2000 and broadband network services-2000 (BNS2000)) The "2000" group that forms this is based on SONET. Using flexible mapping and frame switching rates at multiples of 51.84 mb/s are supported. The "2000" group consists of the: Digital data multiplexer (DDM-2000) Digital access and cross-connect systems IV-2000 (DACS IV-2000) DACS III-2000 cross connect system DACScan-2000 controllers DACScan-2000 workstation FT-2000 lightware

The DACS IV-2000 is able to carry higher speed virtual tributary (VT) channels and not just today's, slower asynchronous ones. Both DACS IV-2000 and DACS III-2000 can support non-SONET hookups too, making them quite versatile. The DACS III-2000 differs from the IV-2000 in offering the DS3/Synchronous Transmission Signal-1 (STS-1) 5ESS-2000 --------As I mentioned before 5ESS-2000 combines BNS-2000 with the other members of the "2000" group. This boosts the capacity of a 5ESS-2000 Switch to 250,000 lines on 64,000 trunks. Key to this is the improved switching module, the SM-2000. It handles everything associated with a call and can even be used as a stand alone remote office, in which case it's called a EXM-2000. To enable high-speed interfaces, 5ESS-2000 uses digital networking units (DNUs). All a DNU is, is a combination of a 5ESS Switch with say a DACS switch. The DNU-IV is a derivative of the DACS IV-2000 and gives additional high speed possibilities. Due to its high operating speed it can greatly speed up CO operations that are slowed down by older copper wirings. With the DNS-2000 cell switch, the broadband integrated services digital network (BISDN) will be created. Point-to-point packet frame relays can be provided even to those lacking T-1s. As well as offering switched multimegabit data services (SMDS) with up to T3 capabilities. The cell switch is made up of low speed port carriers running at 8 mb/s and high-speed switching systems running in excess of 200 mb/s. BNS-2000 handles both frame relays that require connections and SMDSs which don't. Service Net-2000 has the ability to redirect calls between different areas effortlessly. The service control point (SCP) provides the information for the service circuit node based on call screening options, the date/time etc. Allowing the 5ESS-2000 switch to offer a whole range of options such as call

waiting, forwarding, blocking etc. Basically the idea behind Service Net-2000 is to add intelligence to the 5ESS switching system and to drastically improve its speed and call handling abilities. With the purpose of creating a more powerful UIS. Other Developments =--=--=--=--=--=-Intelligent Network (IN) -----------------------IN is just distributing AI throughout the network. A trend which pops up numerous times throughout this issue of the journal with Expert Systems, Service-Net 2000 etc. The idea behind IN is to have large and fast central databases connected with the rest of the network with protocols such as X.25, SS7 etc. IN allows global service to be introduced easier with good flexibility. IN is comprised of service switching points (SSPs) and service control points (SCPs). SSP takes calls and sends them to an SCP. SCPs contain the databases themselves such as calling card verification data. Telecommunication Management Network (TMN) -----------------------------------------TMN as the name implies manages the network. TMN performs OA&M on a CCITT standardized structure. Gigabit Testbeds ---------------Are now being implemented for experimental purposes by DARPA, NSF and others. Several are being conducted by the Corporation for National Research Initiatives (NRI). They involve telcos, academic, commercial and government researchers for the future National Research and Education Network (NREN) Internet. NREN promises a good deal of services, such as real-time transmission of high-speed data streams, huge automated electronic libraries and Gb/s transmission rates taking us away from ascii into full motion video. One experimental net is Vistanet with ATM and SONET capabilities and 622 Mb/s speed. Another one is Aurora. Bellcore is providing an experimental Sunshine switch and IBM a Planet Packet Transfer Mode (PTM). Unlike ATM, PTM packets have no fixed size being as large as 2k. PTM is not a recognized standard but may end up in commercial use, with ATM serving the network itself from the CO. NT is providing a SONET Digital Multiplex System (S/DMS) that takes up to 16 SONET inputs of 155 Mb/s and multiplexes them to 2.4 Gb/s for Casa a cooperative venture of several organizations in California. The main component of Casa is a high-performance parallel interface (Hippi) gateway for SONET. A European group called RACE (R&D in advanced communications technologies in Europe) is designing Integrated Broadband Communications (IBC) within a BISDN. RACE is also working on Code-Division Multiple Access (CDMA), optical networks, teleshopping, electronic funds transfer over a ATM BISDN, mobile network architecture and the universal mobile telecommunications system (UMTS). The Future ---------Compared to the last century of relatively stagnant copper wiring the impact of higher bandwiths and optical technologies will - eventually - be

monumental. All of this does however depend on the introduction of optical fibers. Because of the narrow-band copper wires that are the last link to the subscriber, evolution to better technology is stunted (in the US at least). The cost of overhauling these copper wires in the US with fiber ones is on the order of 200 billion US. In other nations however, the use of fibers linking residential homes is more than 50%. Fiber technology is however, constantly growing and its price dropping. As an aside to all this, look at what's been done in the last 10 years of communications compared to the last 100 years. We are constantly lessening the doubling time of communications technology. In the next 3 years we will equal the last 10 years of progress. Soon it will drop down to a year and then to a matter of months. Since International standards take 15 + years to work out bureaucracy may become an impediment. --------------------------------------------------------------------------Sources IEEE 0018-9235/93 Telecommunications Journal April 1993 Various books and articles on ISDN --------------------------------------------------------------------------The LOD Technical Journal: File #5 of 12 =/=/=/=/=/=/=/=/=/=/=/=/=/=/= Maintenance for DMS-100 Written by -/- Unequal Access -/.Introduction In order to maintain Northern Telecom's (NT) DMS-100 Digital Switch an advanced menu driven man-machine interface (MMI) is used. It is comprised of a Visual Display Unit (VDU) which is part of the Maintenance and Administrative Position (MAP) interface. I'm going to outline how it deals with maintenance, alarms, and administration. A quick example of how it handles line and trunk trouble reports and the addition of a new subscriber will be given. .Maintenance and Administrative Position (MAP) Hardware The MAP is the primary interface between the technician and the DMS-100 family of switches. The main hardware components of the MAP are: 1. 2. 3. 4. Visual Display Unit (VDU) - the MAP terminal Alarm Panel - sends an alarm to the VDU. Communications Module - (telephone) to speak with the subscriber voice Test jacks

.Remote MAP Since all line and trunk test equipment is an integral part of the DMS-100, no loss in accuracy results when the MAP is remote. Every switch has its own dialup as well. Meaning this is not a theoretical file, you will be able to dial up DMS-100 and perform switch maintenance! Maintenance A sophisticated MMI through the MAP terminal is used, to allow a technician to maintain the switch and keep informed of switch operations. Maintenance of

a DMS-100 digital switch is made up of: 1. Manually requested maintenance 2. Scheduled maintenance 3. Automatic maintenance after the detection of faults Alarms The system maintains alarms for the more critical areas of the switch, ie. the central controller. A real-time display of the alarms gives the technician constant status reports. Administration A Table Editor allows the technician to add new lines or trunks. A Service Order facility allows features such as hunt groups and Multiple Address Directory Numbers (MADN) to be added. .Maintenance A common use of line maintenance is in resolving a customer type trouble report. The technician selects the Line Test Position (LTP) option and the selected line is flagged for action by an identifier (ie. directory number, physical location number). The line status information, ie. line state and terminating director number is constantly sent to the MAP terminal by DMS-100. A functional test of the subscriber's dedicated line card is invoked by DIAGNose. Test equipment measures performance of the line card and reports deviations from defined levels. Here is what a LTP with line diagnostic results appears as on the terminal: CC CMC IOD Net PM CCS LNS FDIAG M Trks Ext 10 GC "C"

Using this command the source of a fault and whether its on the subscriber end or not can be determined. This test is usually run during off-peak hours, using MAP's Automatic Line Test (ALT) and the Automatic Line Insulation Test (ALIT). System Line Initiated Line Testing When call processing detects faulty lines they are automatically scheduled to be diagnosed in queue. The outcome is given to MAP, and a record is printed in an office log. Trunk Maintenance Executes checking, testing, monitoring, status monitoring and verifying functions to make sure trunks are working right. It also provides a means of quick troubleshooting when a trunk problem occurs, using the telescoping process to pinpoint the problem location. An example of a Centralized Automatic Message Accounting 2-Way (CAMA2W) Trunk is given here: CC CMC IOD Net PM CCS LNS Trks Ext 10 GC "C" DIG STASR DOT TE RESULT 1 IDL

A technician can choose to conduct trunk testing manually from the Trunk Test Position (TTP) or automatically from the Automatic Trunk Testing (ATT) level of the MAP. .Alarms Are reported at three levels according to their degree of urgency. In order of urgency they are Critical, Major and Minor. Alarm thresholds are defined by an administrator. ie. the percentage of a trunk group that is out of service before a minor alarm is sent. Audible and visible indicators can be used locally, in another part of the building or in a remote monitoring center. .Administration The Table Editor Consists of a set of commands that will create or change data. The tables and Table editor is part of the DMS-100's database software. Control is done at the MAP. An example of a new trunk addition to an existing trunk group would be: >table trkmem TABLE TRKMEM: >add otdp1 1 SGRP: >0 PMTYPE >tm 8 TMNO: >0 TMCKTNO: >8 TUPLE TO BE ADDED: OTDP 1 0 TM8 0 8 ENTER Y TO CONFIRM, N TO REJECT OR >y TUPLE ADDED (input MUST be in lower case) /* TABLE Trunk Member /*Outgoing Trunk Digit Pulse /*Element 1 /*Subgroup Number /*Peripheral Module Type /*Trunk Module Type 8 /*Trunk Module Number /*Trunk Module Circuit Number

>range 3 3 SGRP TRUNK_SUBGROUP_NUMBER TYPE TRUNK_SUBGROUP_NUMBER {0 TO 1} Service Orders Are used to: - add/remove subscriber service from lines - add/remove services such as touchtone - change Line Equipment Numbers (LEN) or the Directory Numbers (DN) of lines Here's an example of how you can setup a New Single Party Flat Rate (1FR) with options. In this case the new line will be POTS with touchtone (referred to as dgt). The new line is part of line treatment group 1. The phone number or directory number is 555-1212. The line equipment number is 10 1 12 26 (frame 10, unit 1, drawer 14, card 26) Input in prompt mode: >SERVORD SO: >new SONUMBER: NOW 85 12 > >5551212 LCC: 1fr LTG: >1 LEN: >10 1 14 26 OPTION: >dgt OPTION: >$ COMMAND AS ENTERED NEW NOW 85 12 02 AM REJECT OR E TO EDIT >y

Input in no-prompt mode: >new $ 5551212 1fr 1 10 1 14 26 dgt $ COMMAND AS ENTERED NEW NOW 85... etc. >y Here is another example of how to install a new Electronic Business Set (EBS) with DN 800-555-1212 and LEN 2 0 1. The option Special Billing (SPB) is used with special billing DN 555-0000. Input in prompt mode: >SO: >new

SONUMBER: NOW 85 12 02 AM > DN_OR_LEN: /* DN or LEN >5551212 LCC: /* Line Class Code >pset /* Proprietary Set (EBS) GROUP /* Customer Group >custname SUBGRP: /* Sub Group >4 NCOS: /* Network Class of Service >10 SNPA: /* Subscriber Numbering Plan Area >800 KEY: /* Key Number of EBS >1 RINGING: /* Audible ringing? >y LEN: > 2 0 1 OPTKEY: /* Option on key >1 /* EBS key number OPTION: >spb /* Special Billing SPBDN: /* Special Billing Directory Number >5550000 OPTKEY: >$ That is the maintenance interface of DMS-100. If you are under the system, or any other DMSs for that matter go searching for its dialup number. As you can tell, there is no end to the things you can configure with it. Such as giving yourself "special billing" or no billing whatsoever. You can also edit numbers in different NPAs so a dialup in another NPA would suffice. ---------------------------------------------------------------------------The LOD Technical Journal: File #6 of 12 Operator Service Position System (OSPS) By The Enforcer Introduction -*-*-*-*-*-* OSPS is a replacement for the Traffic Service Position System (TSPS). For a description of the TSPS console see The Marauder's article in the LOD Technical Journal Number One, File Four. The main difference between the two is that OSPS can be integrated with the 5ESS Switch itself whereas TSPS was only stand alone. OSPS uses the full capabilites of 5ESS and ISDN to provide more services. OSPS also allows for a high degree of automation and by using standard 5ESS configurations, maint. is simplified. Remote Capabilites -*-*-*-*-*-*-*-*-* By using 5ESS, OSPS takes advantage of its remote capabilites. OSPS can be used to perform any traditional operator functions and just 1 OSPS switch can handle up to 128 operator teams. This enables operators to be located at one centralized location where thousands of operators work. (To picture this,

remember that MCI commercial with all the operators in that giant room) Huge operator centres can be located at great distances from their host areas. Conceivably, one huge OSPS centre could serve the entire nation. OSPS can either be made a component of a 5ESS Switch and handle various services or a single switch dealing with only toll or local calls. Control can be transferred from one OSPS to another. If there is low demand, a system crash or other emergency control can be passed on to another secure OSPS. This process is called interflow. One usage is during off-peak hours, when usage goes down for an OSPS centre to close down, and switch everything to another center. OSPS can use any number of signalling systems, with different languages or country specific requirements. Architecture -*-*-*-*-*-* Operator terminals communicate with switches using ISDN paths. This is done by connecting to positioning switch modules (PSMs). PSMs are simply the switching modules (SMs) found on 5ESS. There are numerous other SMs that use analog and digital trunks to perform a variety of services. SMs can be installed remotely in which case they are remote switching modules (RSMs) or optically remote switching modules (ORMs). Operator terminals allow operators to regulate calls and transfer data on a ISDN. Basic rate interface (BRI) is an integrated services line unit (ISLU) that connects up to the PSM. There are four main operator terminals - video display terminal (VDT) for toll assistance, basic services terminal (BST) for listing services, combined services terminal (CST) for both of these functions and intelligent communication workstation (ICW) for International traffic assistance. Knowing these terminals can come in handy when you are dealing with an operator, if you can't get an answer ask to know which terminal they are looking at. OSPS is automated as much as possible. Digital service units (DSUs) on the SMs provide digital automations when required such as requesting you to insert more red box tones (uh, coins) to continue your call. The architecture behind OSPS is based on the call processing architecture of 5ESS, and simply copies many of its functions. To originate and terminate OSPS the originating terminal process (OTP) and terminating terminal process (TTP) are used. The OTP is started when a trunk is seized, usually in the initiation of a toll call, and decides where to place the calls such as to automated billing etc. OTP also monitors the calls as its in progress and conducts billing. Should OTP move the call to an operator, it will label it as one of 128 possible conditions based on the dialled number and trunk group. TTP is started when the call goes out from the switch on outgoing trunks to enable signalling. Automatic Call Distribution (ACD) -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*ACD controls incoming calls to operator teams, placing them in queues if needed and directs the call depending on its condition to the right operator. At the OSPS centre, there are 128 teams, 1 for each condition. If there are no available operators ACD will place the call in one for four queue conditions. The first is ringing, the next two are announcements and the fourth is an announcement followed by a hanging-up of the caller. The ACD constantly has the status for every operator. The three conditions are made busy, busy and available. Made busy is an otherwise available operator that isn't ready to receive calls. If an operator team services more than one call

type, and if one call type is queued the call with the highest "delay ratio" (the expected wait time) will get the next available operator. Supporting teams, up to 8 of which back up the principle teams act as a "reserve" if the principle ones are busy. Subject to the condition that a queue is backed up higher than the "outflow threshold" and the supporting team doesn't have a queue past the threshold either. The position terminal process (PTP) logs operator status by looking at operator inputs, calls, etc. PTP will then route the call to the operator, place it in a queue or route it to another operator. PTP -*PTP has four models: virtual terminal (VT) - Takes keystroke inputs, checks them to see if they are legal commands and passes them on. feature model (FM) - Handles the status of the operator, if an operator logs in, it will indicate that the operator is now available. near model (NM) - Processes the operator inputs. call coordination model (CC) - Handles coordination between PTP and other operations. For example signalling between PTP and OTP/TTP. Here is how AT&T describes a typical event: . A seizure is detected on an incoming trunk, and an OTP is created. . Signalling information, such as dialled digits and the back number, is collected and analyzed; the need for an operator is recognized. . Call type is determined from the dialled digits and incoming trunk group to classify this as an OSPS call of type 1. The ACD administrator has assigned type 1 calls with serving team A as the principal team and serving team B as the supporting team. . The OTP sends a message to the ACD requesting an operator. This message identified the call as type 1 and obtains other call information. . The ACD determines that calls of type 1 are being queued. . The call is queued, and the expected delay is calculated. By comparing the expected delay with administratively specified delay thresholds, the ACD determines whether a delay announcement should be provided to the caller. . A message is sent to the OTP with this information. . The OTP first connects the delay announcement, then provides audible ring to the caller. . At this point, an operator from serving team B becomes available, and the call of interest has migrated to the head of call type 1 queue. The ACD determines that no calls are waiting in any of the principal queues for team B, and further determines that the next call in the call type 1 queue is eligible to be intraflowed to team B. The ACD informs the OTP to send the call to the available operator from team B by sending a message to the PTP in the PSM. It then marks that position as busy with a call. . The PTP, via the CC model, establishes the voice path between the caller and the operator and sends appropriate display messages to the operator terminal, via the VT model, to provide the initial call seizure information. . The customer requests a collect call from the operator who depresses the collect key and enters the number to be called. Messages are sent from the operator terminal to the PTP to relay the information. The VT model processes each incoming message and forwards the message to the near model. The near model marks the call as collect and initiates the connection to the forward party via a new CC model. This results in creation of a TTP and appropriate

interswitch signalling to ring the forward party. . After the forward party answers, the operator secures agreement for the collect billing and releases the call from the position via the position release key. This keystroke is first processed by VT and passed on to the near model. The PTP notifies the OTP of the collect billing arrangements. The talking paths are reconfigured to eliminate the operator position. The two parties on the call are now speaking directly without an operator on the call. . The operator terminal screen is cleared by VT. The FM reports its status back to the ACD as available to handle another call. . At the conclusion of the call, a billing record is made by the OTP. Automation and Efficiency -*-*-*-*-*-*-*-*-*-*-*-*OSPS is designed to be as automated as is possible. It is supposed to make as little use of human operators as can be gotten away with. When you think about it that's the result of OSPS - human operators are becoming less and less needed. If it wouldn't be for all the potential uproar, they'd get rid of all human operators entirely. They are regarded as a horribly expensive way to handle calls. OSPS allows operators comfy little terminals and pulls them out of situations where they are needed as soon as they aren't required. For example after obtaining a number for collect billing, the rest of the process - voice acceptance can be automated. Many services in the past that were separate are now combined under OSPS. For example toll and directory assistance operators had to be kept available in large numbers to handle call surges. Meaning toll assistance can be queued up, while directory assistance has available operators. Now with CST, an operator can handle both services. Data Communications -*-*-*-*-*-*-*-*-*ISDN is used to transfer data in OSPS. External systems can also be reached for such purposes as directory assistance information. Three layers are involved in OSPS operator-switch exchanges: layer 1 - the physical layer - Gives synchronous data transmission from the terminal to the ISLU. layer 2 - the link layer - Provides point-to-point exchanges between the terminal and PSM. layer 3 - the packet layer - Is the layer 3 protocol of X.25. It's a resident virtual circuit for exchanges between the terminals and the SM's processor. Which can be used in switch virtual circuit connections to external databases. Databases -*-*-*-*OSPS uses databases during most calls. To do such functions as check the validity of calling card accounts to prevent cancelled cards from being used. Millions of database queries take place every 24 hours. Because of the immense size of these databases, they can't all fit in 5ESS. So external databases are used. Common channel interoffice signalling (CCIS) links OSPS with external data.

To link with external computers CC7 is used. Data is returned to OSPS from nodes on CCS such as the line info database (LIDB) or billing validation application (BVA). These two nodes handles your Bell's validation of all collect, third number and calling cards. The X.25 protocol is also used to connect OSPS with other databases. Each database has an ISDN directory number. So one can scan out the addresses and access them on the public PSNs. Since your RBOC doesn't want people messing around with their BILLING databases, they are put in a closed user group (CUG). --------------------------------------------------------------------------The LOD Technical Journal: File #7 of 12 (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) Testing Operations Provisioning Administration System (TOPAS) LOD - Mystik Freak - LOD (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) In order to perform Operations, Administration and Maintenance (OA&M) on switched circuit and facility networks the TOPAS operating system (OS) has been developed. From the "core" of TOPAS the Transport Maintenance Administration System (TMAS) was designed to assist in running the Facility Maintenance and Administration Center (FMAC). As the telephone network became more and more advanced the conduction of OA&M became increasingly difficult. What's brought about this sophistication has been the later versions of electromechanical switching systems, ISDN etc. In order to keep up Artificial Intelligence (AI) ideas are being used as a basis for TOPAS-ES. TOPAS-ES is designed as an Expert System (ES) replacement for TOPAS to handle switch circuit operations. TOPAS-ES performs this circuit maintenance using its AI to find and report on network difficulties. Network Maintenance In the current 5ESS Switch maintenance is performed by TOPAS and the remote measurement system (RMS-D3). Under 4ESS circuit maintenance system 1 (CMS-1) is used. The purpose of RMS-DX is to allow testing on circuits terminating on switches. The network is monitored as the transmission passes through the XESS Switch, the multiplexer (MUX) and the line terminating equipment (LTE). TOPAS and CMS-2 continually monitor the network's status and look for deviations from normal operations and then print up trouble reports. Because so many reported problems are transient or falsely reported as a problem, further testing is done to determine real or "hard" problems. Through such procedures as performing tests on one of more than a million scan points or attempting to receive from one or two ends of the circuit. TOPAS uses two different machines with their own databases when processing: Equipment Interface Tier (EIT) and the Network Support Tier (NST). EIT - An EIT contains a database that has physical information about a Network Element (NE) machines. NST - NST's databases are not interested in NE machines or in physical properties and instead uses mathematical models. Even radical network changes will have only minimal effects. Thus the combination of say fiber and copper wiring on the same circuit or the merging of voice and data communications has no great effect. NST can handle everything from basic trunking to complex

multipoint circuits. Both EIT and NST use Common Languages to communicate with each other. NST will for example query NST about specific equipment, while EIT would query NST about network changes. Since EIT and NST are both in the TOPAS core interactions are quite simple. TMAS TMAS followed TOPAS and in its design, developers reused almost half of TOPAS's core. Since TOPAS and TMAS speak a common language cooperation between the two is possible. Many report procedures are identical such as the DS-1 facility alarms. FMAC TMAS is designed to run with the FMAC. By providing updated route databases, alarm monitoring, detection of network faults etc. TMAS also helps administrate by issuing trouble tickets, switch logs and sending out this data to other personnel from the FMAC. Expert Systems (ES) An ES is a system where the program and the knowledge used in decision making are kept apart. The program contains a set of rules, containing what action should be undertook depending on the situation. This is often referred to as a "shell" that controls the activities of its host system (think of the UNIX shell). ESs in Networks The maintenance of complex networks is an ideal application for an ES. By having the equivalent of the most capable repair mind on each switch. As all the ESs are using a common knowledge base that has everything known about the problem and the most effective way to solve it. Several other ESs have predated TOPAS-ES such as ACE, NEMESYS and GTE's COMPASS. As any technical worker will attest to, network operations are particularly troublesome as the call carrying capacity must be maximized while trying to minimize the congestion that results when traffic exceeds the call capacity of the switching and transmission system. TOPAS-ES TOPAS-ES, is as the name indicates, is an ES version of TOPAS. It works with both TOPAS and CMS-1 in the 4ESS and 5ESS environment. TOPAS-ES has a UNIX routine for each of its three subsystems - knowledge base and inference engine, communication and systems interface and user interface. The inference engine used in TOPAS-ES is "forward chaining" or data driven as it is guided available data to fit prestated conditions to obtain an answer. If it used backward chaining, it would search for data to obtain an answer. Forward chaining is a more effective route to take when data is available and answers to a question (using backward chaining) are unneeded or to slow. Generally, forward chaining in network maintenance is preferred. For example, data indicating that Joe Phreaker is blowing 2600 tones is of more use than attempting to answer a question of "Where are all the foreign tones on the circuit originating from?" To keep up with its immense chores of network monitoring, testing and issuing trouble reports, gathering data and figuring out answers TOPAS-ES runs each of its subsystems at the same time, working in "real time" with the network. Distributed AI (DAI) DAI is where multiple processes which normally act independently, co-operate which one another. TOPAS-ES uses DAI to station one TOPAS-ES at one end of the circuit and another on the other end or at the CO. This enables more computing power to be levied at pinpointing the problem and makes for a

faster, more reliable system. TOPAS-ES can assume either a director or responder mode. If TOPAS-ES is analyzing a faulty circuit it can request or enlist another TOPAS-ES and place it in the responder mode to assist it. Expert System Trouble Analyzer (ESTA) This is one of TOPAS-ES's subsystems and performs the main operations of: trouble ticket analysis and chronic history analysis (CHA). Trouble ticket analysis: Since few problems reported by TOPAS-ES are genuine ones that require attention, ESTA narrows down the hard from the transient problems. ESTA determines this mostly by ordering TOPAS-ES to wait and perform further monitoring. CHA: This exposes faults after repeated transient trouble indications. If the problem persists for longer than X amount of time, with over Y indications of trouble it will be labelled chronic. CHA is designed to pick up on problems that have been passed off as transients and ignored. For example a problem may exist during peak hours but will be passed off as a transient when monitored during off-peak hours. Expert System Trouble Sectionalizer (ESTS) Once ESTA has determined a trouble to be hard it will pass along a "trouble ticket" indicating such information as its duration, current condition and whether its chronic or not. When ESTS has been handed a hard trouble it will "sectionalize" the indicated area on the circuit. This is done by having technicians at each end examine points on the circuit and performing other tests. ESTS is based on the best sectionalization techniques, being an ES. An ESTS sectionalization strategy would work like this: 2600 tones are being heard on the network, circuits are all in normal condition, 2600s are not in internal use and have been labelled as unauthorized, foreign sounds so ESTS would deduce that someone is trying to bluebox. ESTS has a wide list of strategies to try depending on the situation. The most likely to succeed strategies will be attempted first and if this fails all of its strategies will be tried in order of success probability. Once the fault has been pinpointed the relevant repair crew/station will be notified along with a description of the fault. --------------------------------------------------------------------------The LOD Technical Journal: File #8 of 12 International Switching Systems by Mystik Freak LOD - LOD One of the goals behind phreaking has always been to delve into the deepest fathoms of the phone system. Since the barriers of expensive international calling are meaningless to the phreak, the exploration of various telephone systems is possible. This file will investigate some of the switching systems you are likely to encounter around the world. In other words non-ESS/DMS using nations outside the United States. Nothing has ever been said about these systems in "the underground" and what little information that exists publicly is skimpy, hard to find, badly translated or not translated at all and very outdated.

The foundation of any telephone network is in its switching system so a whole new universe of different switching systems is out there waiting for you. ESS does get boring after a while and there is nothing really novel about if, after all nearly everyone lives under it and there isn't that much to discover about it. So branch out internationally to seek new telephone networks and boldly go where no phreak has gone before! I won't spoil the thrill of hearing new tones and discovering new things by giving out all the juicy things you're liable to find, instead this is going to be a broad based overview of 7 switching systems: Sweden - AXE 10 France - E 12 United Kingdom - DSS Netherlands - PRX-D Germany - EWS-D Italy - PROETEO Japan - NEAX 61 There are far more than just these systems out there as shown by this chart of systems indicates: System ~~~~~~ AFDT1 AXE 10 D 1210 DCO DMS 10 DMS 100 DMS 200 DMS 250 DMS 300 DS 1 DSC DSS 1210 DTN 1 DTS DTS 1 DTS 2 DTS 500 DX 100 DX 200 EWS-D E10 E10 B E10 S E12 FETEX 150 FOCUS 5 GTD 5 EAX HDX 10 IFS ITS 4/IMA2 ITS 4/5 ITS 5A I2000 LCS 4/5 MSU MT 20/25/35 Country ~~~~~~~ Italy Sweden US US Canada/US Canada/US Canada/US US Canada Japan US US Italy (Sudan) US Japan Japan Netherlands Finland Finland Germany France France France France Japan US US Japan Switzerland US US US Yugoslavia US US France Type ~~~~ local/tandem local/toll local local/toll local local/toll toll tandem tandem tandem local local/toll/operator tandem tandem toll local tandem local/tandem local local/toll local/tandem local local toll local local local/toll local local toll local/toll local local local local local/toll

local/toll/operator toll toll local local/toll local/toll local local local local/toll/operator local tandem tandem local local local local tandem

Sweden - AXE-10 (+46) ~~~~~~~~~~~~~~~~ The Swedish AXE 10, was developed by Ericsson and in addition to being found in Sweden itself is also being used by over 30 countries. AXE 10 performs most of the basic functions of international switching, local tandems and offices, national transit etc. It covers everywhere from isolated rural areas with only a few hundred subscribers all the way up to huge transit exchanges of a million subscribers. AXE SSS TSS CHS 10 has 3 main susbsystems: - Subscriber and group (GSS) switching - Trunk signalling and (TCS) traffic control - Charging, OMS and Maintenance

Other optional subsystems are: SUS - Subscriber faciltites (OPS) operator functions MTS - Mobile subscriber functions Functions that share the same purpose are allotted to one subsystem. A function block is a group of similar functions within the subsystem. For example the subsystem SSS has a function block called the time switch (TS). Hardware AXE 10 is a digital switching system. Interconnections between subsystems are called "internal digital trunks". To give an example of AXE 10's hardware consider the SSS subsystem. SSS is divided up into lots containing up to 2048 subscribers, up to 128 of these subscribers will then form a line switch module (LSM). Each subscriber has an individual line circuit (LIC) connecting them to the LSM. The LSMs themselves are interconnected by a TS bus (TSB). Each module has a TS that performs switching for the subscriber the TSB and a junctor terminal circuit (JTC). Traffic within subsystems is handled by internal diagnostic links. If the LSM lacks an internal digital link the call is carried by a TSB to another module. Because SSS uses TSS and TSBs the network runs smoothly as a balance

is kept between the subscriber nodes and the internal digital links in use. Subscriber information can be kept either centrally or remotely. TS 16 in a PCM is used to control a remote exchange. If the SSS is remotely located an exchange terminal circuit (ETC) is used. The PCM will then signal between the remote SSS and the ETC. The signalling is controlled by a signalling terminal (ST) on the SSS and ETC ends of the circuit. The trunk signalling system (TSS) interfaces external signals into the AXE 10 signalling scheme. One of the benefits to AXE is that any signalling scheme can be interfaced without impacting on other subsystems. Thus AXE is highly adaptable to network conditions. In cases where analogue lines are connected by either incoming trunk (IT) and outgoing trunk (OT) circuits conversion to digital takes place. Tone signalling is conducted by code receivers (CRD) or code senders (CSD). France - E 12 (+47) ~~~~~~~~~~~~~ CIT-Alcatel and Telic (CIT-ALCATEL) developed the E 12 system bases on the earlier E 10 system to handle the functions of: international gateway inter-city transit medium to large urban area transit subscriber line switching

Capacity The capacity of E 12 depends on call duration, signalling etc. The maximum capacity is currently 1536 digital PCM systems of the 30 + 2 type equalling over 40,000 circuits. Processing up to 110 calls a second. Architecture E 12 is based on the architecture of its predecessor - E 10B. The three main components are: - subscriber and circuit connection units - the central switching system and common control - computerized supervisory and maintenance centre (CTI) The CTI is the second control level supervises several exchanges and handles: line circuit management traffic load data logging maintenance and alarms billing

Three subassemblies allow speech transmission. The TST switching network, the subscriber connection units (URA) and the circuit connection units (URM). System Control Is made up of three levels: - a processing level in the line and circuit connection units, where subscriber circuits are controlled - central common switching control

All of these units are related to a single switch and communicate on a bus LM. MQ - interfaces common control to the central switch and subscriber and circuit connection units MR - receives and retransmits information and adjudicates the opening and closing of connections. TR - stores subscriber and circuit data TX - free metering units OC - control interface unit connects the CTI to other subassemblies. Subscriber Connection Unit Because traffic is concentrated on a small number of digital PCM systems, the subscriber connection unit is needed to provide analog to digital conversation. It also handles remote subscribers. The unit connects thousands of lines to a central TS on PCM channels. Software switching programs - perform loop status sensing, condition detection, connection and disconnection, switch identification. maintenance subscriber status memories etc. monitoring programs - monitor the core of CSE, test and fault tracing routines etc. All programs are written in Assembly. Functions E 12 provides: CCS7 traffic observation automatic fault tracing remote fault tracing service grade measurement operator assistance position automatic call back etc.

Organization E 12 is organized into three areas: - the switching network which handles signalling channels and incoming/outgoing multiplexes - the signalling units which handle channel allocation, CMF, CCS, DTF etc. - a main SPC computer All of which are connected to connection units (see the subscriber connection unit).

Programs The main programs used are: program execution system, interfaces with the rest of the systems program exchange interface IOP (SEST) data interface IOP (SESI) signalling processor (SIG) common programs (PCO) for data call processor (TAP)

Service Management Unit (GES) does man/machine transactions, routing tables and prefixes, signalling type allocations, traffic observation and logs traffic data. Fault Recovery System (DEF) will reconfigure after a detection of a system failure, providing efficient recovery. Tracing and fault isolation (TED) will isolate a fault down to the PCB level and carry out CRCs for fault prevention. Digital Switching Subsystem (DSS) - United Kingdom (+44) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DSS was created by the British Post Office (BPO) to serve as the nations first digital switch. Subsystems DSS uses specific hardware and software functions to interface subsystems. The main DSS interfaces are located at the following subsystems: call processing system (CPS) maintenance control subsystem (MCS) analogue line termination system (ALTS) network synchronization system (NSS) management statistics subsystem (MSS)

The main connecting interface in DSS is a 2048 kbit/s, 32 channel multiplex. Which is used for example to connect the switchblock and auxiliary units. Trunking DSS is capable of handling international switching centres of up to 20,000 erlangs and over 400 switch requests a second. To meet this the switch must be multistage. The DSS switchblock has identical originating and terminating circuits. A four-wire multiplex has a transit and receive pair on both ends of the circuit. So information on the busy/free state of both is available from one. To achieve spatial routing which is necessary for two channels to be connected, DSS uses integrated circuit multiplexers (encoders). DSS's time dividing in trunking allows single switches to carry large amounts of traffic. The drawback to this is that should a fault occur on this switch, thousands of calls could be disrupted. To ease this risk, synchronous duplication of the TST setup with data comparison and parity checking is done. Subsystem Functions

- digital line termination unit (DLT) interfaces the four-wire, 32 time-slot 2048 kbit/s multiplexers with the switchblock - the TS transfers input time slots to output times slots - space switch (SS) is an integrated circuit set for devices that connect links with the trunk - alarm monitor unit (AMU) - relieves the main cpu's load by handling alarm data - primary waveform generator (PWFG) is the clock with DSS is based on. By sending 8 Khz tone start signals and 2048 Khz bit streams, operations are directed - local synchronization utility (LSU) uses incoming PCM links for timing and maintains the frequency of its oscillators using phase locked loop techniques - input/output buffer (IOB) stores messages from the software to the CLU The Time Switch Buffers the time reception with the time allocated from cross-office switching with the space switch and the actual time of transmission. It also does alarm interfacing between monitoring equipment and trunking. The TS is composed of: - speech stores (including DLT interfaces and store refining registers) - control stores - alarm interface unit (AIU) (including DLT and AMU interfaces) - TS racks - a complete send and receive switch within DSS. The two TSs are used in trunking are in 1 rack with 32 DLT units. - space switch - a set of buffer and crosspoint units. Using the 2048 Khz clock, the transmission of traffic is done on the TS interface buffer. Hardware The processor utility (PU) IOB is interfaced with the CCU by the PSS IOB. The IOB communicates with the following: - command field - ordering operations such as measure, trace, opening or the removing of TSs. - address fields - set network termination numbers (NTNs) that define TSs, circuits etc. - message identity field - cross office slot field - makes sure that traces don't duplicate their efforts by setting the points to start from during fault location. AMU AMU handles DSS's specific functions such as the collection and persistence checking of status info and diagnostic hardware. AMU interfaces to the PU and thus advises the DSS maintenance software on fault areas. AMU receives time and fault switchblock indicators from DLT using AIU in the TS. Persistence checks are done to label the alarm as hard or transient. DLT DLT conducts the line associated functions of monitoring, installation etc. DLT also performs switch-related operations. Several are for simple backup

duplications of such functions as trunking and switch fault detections. DLT Related Functions The line processor encodes or decodes HDB3 signals and recovers the received clock. The clock is recovered by using a ringing circuit. The clock synchronizes the switching centre by providing a network frequency reference. DLT will identify remote alarm information if the distant alarm bit (usually bit 3 in channel 0 of odd frames) shows a problem. DSS will, using AMU instruct MCS to locate the fault. An alarm indications signal (AIS) shows a transmission equipment failure by tossing out a load of "1s" in the frame. Line errors can be detected locally if HDB3 input goes or if synchronization is off. If this occurs MCS is informed and DSS transmits a distant alarm unit signal. Switch-related DLT functions are usually involved in duplicated trunking, fault location or switching channel 0 spare-bits. The most interesting function is fault location. DLT works with maintenance software to locate and diagnose switchblock faults. By using path checks or loop backs, results are sent via AIU to DLT. Paths are tested using check patterns at both ends of a trunk. They can be sent in and monitored on any channel after switching. Registers are used to store the check patterns and they are controlled by the "central office". Or the DLT will "loop back" its transmit channels to the receive input of trunking. Loop back is sometimes combined with a path check. By changing the switch connections a closed loop can be implemented throughout the trunk. Closed loops are very effective in determining hard faults from transient ones. Netherlands - PRX-D (+31) ~~~~~~~~~~~~~~~~~~~ The Processor Controlled Exchange-Digital (PRX-D) builds upon the PRX system with digital-time division multiplexing (TDM) and with other enhancements. PRX-D was developed by Philips Telecommunication as an intelligent SPC system. The three main areas of PRXs are: - the switching network (SWN) - central control complex (CCC) - operator services (OPS) Two different versions of trunk lines are used. An analog version - PRX-A has six linked stages and reed-relay crosspoints of two or four wires or a digital version of the TST type. Local or remote usage is possible by sending traffic to the trunks. The CCC has two types of telecom processors (TCP) to deal with different size exchanges. TCP 18 covers small-medium exchanges and TCP 36 medium-large exchanges using multiprocessing with synchronized pairs. OPS is controlled by a mini-processor called TCP 7. OPS deals with OA&M and AMA. Architecture

PRX-D is made of two layers: - the main layer with the CCC, TCP XX and the control channel processor terminals (CPT), connecting this layer to the control channel (CCH) - another layer of SWN modules and the sub-channel controller (SCC) The digital switching network (DSWN) passes voice and data traffic on 64 kbit/s, 32 channel PCMs. The PSWN has block terminals (TER) which interface to other circuits and allow services and signals to be interconnected by a digital trunk link network (DTN). DTN DTN is a one-way only transmission on a 4 wire connection. The highway-togroup (HGD) and group-to-highway multiplexer (GHM) are 16 inlet ports in 4 X 4 groups. A highway switch (HWS) is a group of up to 128 X 128 highways whose crosspoints can switch from one highway to the next under the control of a highway switch address generator (HSA). A highway-to-group demultiplexer (HGD) does the opposite of the GHM. A digital trunk-line block (DTB) carries a single highway and is controlled by a DTB marker (DTM). DTN utilizes 7 varieties of customized low currentmode logic (CCL) ICs. CCL The central clock (CCL) is made up of the synchronized mode clock generators (CLG), the clock measuring unit (CMU) and sometimes a clock reference unit (CRU). The DTN is sent timing information on 4096 Khz sine waves and 8 Khz alignment pulses. Terminals The 4 main TERs are: - interfacing analog circuits (ACT) - subscriber lines - digital circuits (DLT) - signalling and services (SST) - ACT has a peripheral module controller (AMC), a power supply unit (PSU) and possibly a DTN interface board (DIB). The DIB performs the transmission of timing signals and assigns time slots. - SST handles 2048 kbit/s groups by using DTN for signalling ie. MFC, keytones etc. for services such as voice response systems. Software The operational program for TCP 18 is made up of: - master control program (MCP) - call processing - error management - configuration management The MCP handles the central control unit (CCU), I/O operations and other misc. services. Communication between the main control unit (MCU) and the PMC is done by transport handlers such as the digital trunk marker (DTM), analog circuit terminal (ACT), digital circuit terminal (DCT) and the signalling and service terminal (SST).

Call Handling One part of the Telephony Operating System (TOS) is call processing modules. Which distribute calls to an open CCU depending on network conditions. If a secondary control unit (SCU) is available it will receive the calls. If niether is available then the MCU will receive them. Error Maintenance Error detecting hardware does diagnostics such as checking parity, comparing timeout circuits etc. By using hardware to perform tests, checking is done every time the hardware runs and processing time needn't be wasted running testprograms. When the hardware equipment itself needs testing, testprograms are then used. Germany - EWS-D (+49) ~~~~~~~~~~~~~~~ Manufactured by Siemens Telecom, EWS-D is a complete digital switching system, capable of serving from 200 lines to 60,000 trunks. Architecture Subscriber line terminations and interchange trunks are used with trunk/line groups (LTGs) where digital tone generators and digit receivers are located. A TS performs connections inside of the LTG. Digital switching connects the groups to a central processor (CP). Functions carried out by the CP include overall switching, data storage and remote operation of the system. Here's a quick example of how a call would be processed under EWS-D: - the group processor (GP) sense that the phone is off-hook and gives the caller a tone generator and a digit receiver on the LTG using the group switch (GS). - the GP sends the service requested and the dialled digits to the CP. - CP checks the callers COS, locates a path and informs GP of the caller - the callee's GP finishes the connection with its LTG, sends a ringing and places the callee off-hook. LTG Signals from an analog subscriber's line are converted into PCM signals on the line circuit. Up to four interexchange trunk terminations comprise one module. Four modules make up one highway and up to 128 interexchange trunks can be on one LTG. A basic subscriber line circuit interfaces with any signalling system. Notable functions of the subscriber line circuit are the 50/16 kHz call charge meters on the subscriber's premises, access circuitry for testing and paystation signalling. The PCM 30 transmission system has its synchronization, signalling channel and alarm signal on one module. 2.048 Mbit/s highways are connected to the GS. For a connection to the central network, 4 2.048's become one 8.192 Mbit/s signal. Because the network is duplicated, the identical modules can easily be used for testing. Tones such as MFC frequencies are generated digitally on a LTG and sent to the GS. One change here can effect the entire network. Central Switching Network

By using a central switching network up to 504 trunk groups, equivalent to 100,000 subscriber lines or 604 trunks can be attained. 8.192 Mbit/s interfaces are used between the network and the LTG. As mentioned before the entire network is duplicated. In case of a fault, the network will switch over to its other half. Control and Common Signalling Channels Control channels are grouped into units of 128 for distribution on the 8.192 Mbit/s network. The channels in time lot 0 are switched to the LTG only on transmission links. Only half - 64 of 128 control channels are used. The other half are for future uses. With SS7 the procedure for switching signalling channels though the LTG is identical to that of the control channels. OA&M Digital systems such as this have far fewer errors than analog SPC systems do due to the smaller number of modules. EWS-D is expected to have fewer than 12 hardware faults per 1000 LTGs with less than 2 hours per fault. Both hardware and test programs are used to diagnose both subscriber line and trunk faults. When testing is done on long distance trunks the equipment on the distant exchange and on the transmission system is done. Measuring equipment such as ATME2 look at the director and responder operations. Most local trunks are still copper and EWSD has contacts on the incoming and outgoing circuits for testing. The monitoring of PCM transmission links is integrated into EWS-D. System status is given by an operating terminal indicating system traffic, the failure/active status of redundant central units, LTGs and equipment inside LTGs, the number of removed from active LTGs, subscriber lines and the number of non-switchable call requests. Remote operations can be done via this terminal. Administration tasks are also performed at the operating terminal. When a remote operator is needed, communication equipment such as Transdata is used to connect to the exchanges over the data transmission channel. Italy - PROTEO (+39) ~~~~~~~~~~~~~~ PROTEO was designed by Societa Italiana Telecomunicazioni SpA (SITS). Architecture It is a fully integrated, digital switching system with SPC. Signals are converted from analog to digital and transmitted over a PCM. Capacity is 30,000 subscribers in 32 peripheral exchanges (CTs) hooked up to a transit network (RT) using 32, 2 channel PCMs. Overall control is by a central computer (CC). A lone CT can handle 2,304 subscriber lines with 18 PCMs, 270 LF trunks and possess 2 line control units (UCL) on a connecting network (RC). Subscribers and trunks are connected through a time division multiplex (TDM) and can go directly to PAM without the analog to digital conversion using voice scanners if need be. The CT, can act as a switch if internal subscribers are being switched to

RTs. CT is commonly connected to the RT for interconnections with external switches. The CT has a codecom unit to convert analog to digital or digital to analog for PCM bundle generation or insertion into PAM. A TST connection network is inside the RT and is controlled by the CC using the transit control unit (UCT). The RC switches 64 kbit/s data channels on 2 Mbit/s PCM bundles towards UCS when exchange signalling exists and to UCM when remote signalling comes in on a common channel. If CCS isn't present, then signalling control units (UCS) are used to process signalling codes. Maintenance CC uses LEONE processors in SPC for maintenance and has a BHCA capacity of 150,000. PROTEO handles rural areas quite well as CTs can be located at great distances from the RT. If less than 250 subscribers exist, concentrators will be used to connect them to a CT. Flexibility The modularity of PROTEO is its ability to adapt to different network conditions. By having functions act independently of others, upgrades and maintenance is simplified. Japan - NEAX 61 (+81) ~~~~~~~~~~~~~~~ The NEAX 61 was designed by Nippon Electric Co. and was first installed in the US. But due to its origin it is being included as a Japanese system. It has SPC, PCM TDM and uses a four stage TSST switching network. Specifications circuit capacity: local switching - 100,000 lines, 13,000 trunks toll switching - 60,000 trunks international switching - 30,000 international circuits network capacity - 22,000 erlangs call handling capacity - 700,000 BHCA Architecture NEAX 61 is comprised of 4 subsystems: - application subsystem - several service interface modules each having line and trunk circuits, interface circuits, multiplexers and a controller. This subsystem gives a standard interface to the other subsystems. It controls the terminal circuits and interfaces them with the switching subsystem. Service modules receive information from the processor to establish paths and other actions. Each service module has a terminal and interface circuit, a duplicated controller and primary multiplexer (PMUX) and demultiplexer. The controllers collect terminal circuit scanning data, control the terminal and interface circuits and communicate with the processor. The modules each have their own terminal and interface circuits: - analog trunk interface module - Both the terminal and interface circuits are codecs. Any analog trunk can be used by the module and each trunk has its own codec channel. - analog line interface module - The terminal circuit is an analog line circuit that conducts two to four wire conversion, ringing application, protects against overvoltage and other testing procedures. By using one of

four switch selectable balancing networks an insertion loss less than 0.5 dB is possible. - digital line interface module - Connects PCM analog and digital subscriber carrier lines. The interface circuit is a digital line switch that concentrates digital lines by assigning time slots and putting each time slot on a serial bit stream to the PMUX. - operator position interface module - connects the different operator positions such as toll and directory assistance. Operators converse with callers over position trunk circuits. The controller has a capacity of up to 64 operator positions and the PMUX can have up to 120 operators on a position trunk. - processor subsystem - Maintenance and Administration subsystem - Alarm information is shown on the maintenance frame or at a supervisory test desk. The line test desk platforms subscriber line testing. NEC has a technical assistance center where NEC personnel provide support on a subscription basis. --------------------------------------------------------------------------Sources Various IEEE Documents Helpful International Operators --------------------------------------------------------------------------The LOD Technical Journal: File #9 of 12 Hacking GANDALF XMUX'S ----------------------Written by: Deicide on 03/29/93 =========================== *NOTE: While writing this file I assumed that the reader has a working knowledge of PSNs. The Gandalf XMUX is made by Gandalf Technologies Incorporated. It is one of two popular systems Gandalf makes, the other being the Starmaster/PACX. These systems are very closely knit, as you'll see later, but the focus of this g-file is on the XMUX system. I still don't have a XMUX manual, so this file will be a bit incomplete, but it will give you a good sense of the system; How to Identify it, How to Penetrate it, and How to Use it. There are a number of security flaws in the XMUX, all of which can be circumvented but frequently are not. Occasionally you will find an unpassworded console, in that case just move on to the How to Use it section. The Gandalf systems are very frequently found on all the major PSNs, as Gandalf's themselves often serve as network controllers. Most of the major companies, such as Xerox & Bell Canada, use XMUXs, so it is a good idea to become familiar with the system. How To Find Your XMUX & How To Identify It -----------------------------------------First of all, if you find an unpassworded XMUX it will tell you by the herald "Gandalf XMUX Primary Console Menu" followed by the menu itself. Skip this part for now. But for the rest of you, you probably still need to find your XMUX, and

you need to know how to identify it. Before we get further into this, a small amount of knowledge of the whole scope of the XMUX is needed. Every XMUX is made up of at least 4 parts, each present on every single XMUX. These parts are called: Console Fox Logger Machine The Console is the actual system, the part that has to be hacked, the part that contains the information we are attempting to retrieve. The Fox is a test machine, serving no other purpose except to spout "THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG 1234567890 DE" over and over again. The Logger is displays a line or two of information such as the time & the LCN called, for the most part unimportant. But it does contain the node name. The Machine is basically a system information giver. I have yet to discover all of it's commands, but S gives some systems stats (including the node name) and L is an optional command that supplies the user with a system log (which contains link addresses & UID's). All of these can be useful in some way. The XMUX can be found in a number of ways: - On a standard NUA(XXXX XXXX) - On a standard NUA + extension(XXXX XXXX,XXXXXXXX) - On extensions off of Starmasters & PACXs.(XXXX XXXX,XXXXXXXX) - On LCN's (subaddressing) off any other type of system/OS. ??????????????????????????????????????????????????????????????????????????? NOTE:"Password >" is the password prompt for the XMUX Console, occasionally proceeded by an operator definable system message such as "Vancouver XMUX". To be sure that this is a XMUX prompt, hit <ENTER>. If it returns the message "Invalid Name Names must consist of 1 to 8 alphanumeric characters" Then you are dealing with the XMUX Console. ??????????????????????????????????????????????????????????????????????????? On a standard NUA it will bring you right to the "Password >" prompt, no hassles. You can then proceed to the section that deals with hacking the console. On a standard NUA + extention, it is not so easy. When you first hit the NUA, it will give you the "Remote Directive" error message, telling you that you "forgot" the extention. Now, the error message could mean you forgot the extention for a VAX, also, but we will assume that it is a XMUX on the NUA. This is true only a fraction of the time, but try this on every Remote Directive message, you'll find a good share of XMUX's. First of all, try the LCN (subaddress) of 1 on the NUA. If you come up with the Fox segment of the XMUX (explained earlier) then you have an XMUX Console on the NUA, it's just hiding. If the LCN brings up the Remote Directive message again, then try the extention of LOGGER on the NUA. If it brings up the XMUX Logger, then again, the XMUX Console is there, but with a bit of security added on. If you now know that you are on an XMUX, try the CONSOLE extention. It should bring you to the "Password >" prompt, or occasionally right inside without needing a password. Starmaster's and PACX's almost always have an XMUX attached on to it. Use the Starmaster or PACX's NUA + the extention CONSOLE. It will most likely bring you to the "Password >" prompt. If it doesn't work, try LCN's. If that fails, try "XMUX" or "XCON" from the Starmaster/PACX service prompt. The LCN's off all the other system/OS types is a bit more complicated. You can either guess, pick the likely ones, or try them all. What this is is an XMUX in coexistance with another type of system, such as AOS/VS. The most common way to find these is by adding an LCN of 1 to the NUA of the system. If it comes up with the XMUX FOX section, then you can be sure an XMUX is present. To find the XMUX Console, use LCN's of 4 and above(2 & 3 being Logger and Machine), up to the LCN of 15(maximum on XMUX). If you still

haven't found the Console, and it's returning the Remote Directive error message, now's the time to use the CONSOLE extention. In most cases it'll bring up the "Password >" prompt, or right into the Console Menu. HOW TO PENETRATE THE XMUX CONSOLE "PASSWORD >" PROMPT ----------------------------------------------------To start you off, XMUX Console Passwords MUST be within 1 to 8 alphanumeric characters. Any combination within that boundary is an acceptable password. Now, while it is true that the password could be a random letter/number combination, such as G2Z7SWJ8, and therefore extremely impractical to hack, it is almost a given that the password is a relevant word or abbreviation, with not more than one numeric character, which is usually not even included. Also, you get 4 attempts at a password before being logged off, and remember, you don't even need to find a username. When you first reach the "Password >" prompt it's a good idea to try the defaults(in order of occurance): - Gandalf - Xmux - Console - System Also, Password (no, really), Network, CPU, Switch & Network are also frequently found. Then, if the defaults don't work, it's time for a little calculated brute forcing. If the system has a herald, such as "BenDover Field Communications" then try everything you possible can thing of that is relevant to the herald, such as Bendover, Ben, Dover, BDFC, Field, Telecom, etc. Also, combine these with the defaults, particularly Xmux. As in BenXMUX, or FieldMux, etc. If there is no herald, or all the thing you can think of to do with the herald fail as passwords, then it is time to get the node name. The node name is used very frequently as a password, thus a good thing to try. But where to get the node name with out getting the password first? It is contained in two other places other than the Console, with ALWAYS at least one of the facilities open to you. The Logger (LCN 2, or extention LOGGER) always spurts out the log name first upon connect. This is always available, I have only seen one case in which the Logger information was protected, and that was achieved by wiping it out, which very few administrator's do. The other source is the Machine (LCN 3, or extention MACHINE), a very handy source of information. You will recognize the Machine by its "#" prompt. At this prompt type "S" for system stats. The first thing you see in the system stats is the Node Name. Also, with machines type "L". Occasionally it will be set to show the log, which contains the Link Addresses (usually other netted computers, frequently Gandalfs) and UID's as well. Try the Node Name by itself as a password, then in combination with all the above, such as a combo of Default & Node Name. If you follow all these above methods, 50% of the time you will find the password. If you don't get the password, don't worry, there are many more XMUX's out there with poor security, go for those. But before you move on, try the LCN's from 4-15, frequently you'll find another system, often a private PAD or an outdial. WHAT TO DO WITH THE XMUX CONSOLE ONCE INSIDE -------------------------------------------For those itching to read other people's mail, or retrieve confidential files, etc, you will be very disappointed. Although once inside the XMUX Console you have virtual Superuser status, the commands are all maintenance related. But, often you will find other systems, quite often networks, PADs, & outdials from inside. You will first encounter the primary menu, which looks similar to this: Gandalf XMUX (date) Rev(version) Primary Console Menu (time) Node:(nodename)

Primary Menu: 1. Define 2. Display 3. Maintenance 4. Supervise 5. Exit Primary selection > Now, although there are some other useful and interesting features to the XMUX console, I will only show you the 3 most useful features, those being Abbreviated Command, Service & Call Status. Abbreviated Command is an option found in the Define sub-menu. Hit 7 once inside the Define sub-menu to bring up the Abbreviated Command prompt. Type a ? to show all the abbreviated commands. If there are none, curse your luck and move on to the next feature. If there are some, type them in, one at a time. Each Abbreviated command is really a macro, and a macro of a NUA plus the subaddressing and data character extension needed to enter the system. These can be very useful, not only for the NUA & subaddress, but for the fact that the extension is included. Most times extensions are hard if not impossible to guess, and the macro throws it right in your face. The Abbreviated Command is in the format of XXXXXXXXdEXTENSION, in that the X's are where the NUA is placed, the EXTENSION is the extension characters, and the 'd' is really where the comma goes to separate the two. So if the Abbreviated Command was 55500123dabc, the NUA would actually be - 55500123,abc Service is a menu option also from the Define sub-menu. What it enables you to do is view all the services available, plus their function & LCN. Type "11" from the define menu, then "?" for a list of the services available. Console, Fox, Logger & Machine will always be present. Anything else is a bonus, and should be capitalized upon. For example, if you see "Modem" as one of the services, then enter "Modem" from the Service sub-submenu to see which LCN the modem is on. Display Call Status is a handy command used from the Display sub-menu which gives a log of all the calls the system has handled. In the call log are the NUA's of the system that called, often a netted system such as another Gandalf. --------------------------------------------------------------------------The LOD Technical Journal: File 10 of 12 Tempest in a Teapot ------------------Do-it-yourself techniques to inhibit electromagnetic eavesdropping of personal computers. Grady Ward <grady@netcom.com>

TEMPEST is the code name for technology related to limiting unwanted electromagnetic emissions from data processing and related equipment. Its goal is to limit an opponent's capability to collect information about the internal data flow of computer equipment. Most information concerning TEMPEST specifications is classified by the United States Government and is not available for use by its citizens. The reason why TEMPEST technology is particularly important for computers and other data processing equipment is the kinds of signals components in a computer use to talk to each other ("square waves") and their clock speeds (measured in megahertz) produce a particularly rich set of unintentional signals in a wide portion of the electromagnetic spectrum. Because the spurious emissions occupy so wide a portion of that spectrum, technologies used to block one portion of the spectrum (as pulling the shades closed on a window to stop the visible light portion) are not necessarily effective in another portion. Unintentional emissions from a computer system can be captured and processed to reveal information about the target systems from simple levels of activity to even remotely copying keystrokes or capturing monitor information. It is speculated that poorly protected systems can be effectively monitored up to the order of one kilometer from the target equipment. This note will examine some practical aspects of reducing the susceptibility of your personal computer equipment to remote monitoring using easily-installed, widely available after-market components. I One way of looking at TEMPEST from the lay person's point-of-view is that it is virtually identical to the problem of preventing electromagnetic interference ("EMI") by your computer system to others' radios, televisions, or other consumer electronics. That is, preventing the emission of wide-band radio "hash" from your computers, cabling, and peripherals both prevents interference to you and your neighbours television set and limits the useful signal available to a person surreptitiously monitoring. Viewing the problem in this light, there are quite a few useful documents available form the government and elsewhere attacking this problem and providing a wealth of practical solutions and resources. Very useful for the lay person are: Radio Frequency Interference: How to Find It and Fix It. Ed Hare, KA1CV and Robert Schetgen, KU7G, editors The American Radio Relay League, Newington , CT ISBN 0-87259-375-4 (c) 1991, second printing 1992 Federal Communications Commission Interference Handbook (1991) FCC Consumers Assistance Branch Gettysburg, PA 17326 717-337-1212 and MIL-STD-188-124B in preparation (includes information on military shielding of tactical

communications systems) Superintendent of Documents US Government Printing Office Washington, DC 20402 202-783-3238 Information on shielding a particular piece of consumer electronic equipment may be available from the: Electronic Industries Association (EIA) 2001 Pennsylvania Ave NW Washington, DC 20006 Preventing unintended electromagnetic emissions is a relative term. It is not feasible to reduce to zero all unintended emissions. My personal goal, for example, might be to reduce the amount and quality of spurious emission until the monitoring van a kilometer away would have to be in my front yard before it could effectively eavesdrop on my computer. Apartment dwellers with unknown neighbours only inches away (through a wall) might want to even more carefully adopt as many of the following suggestions as possible since signal available for detection decreases as approximately the inverse square of the distance from the monitoring equipment to your computer. II Start with computer equipment that meets modern standards for emission. In the United States, the "quietest" standard for computers and peripherals is known as the "class B" level. (Class A level is a less stringent standard for computers to be use in a business environment.). You want to verify that all computers and peripherals you use meet the class B standard which permits only one-tenth the power of spurious emissions than the class A standard. If you already own computer equipment with an FCC ID, you can find out which standard applies. Contact the FCC Consumers Assistance Branch at 1-717-337-1212 for details in accessing their database. Once you own good equipment, follow the manufacturer's recommendations for preserving the shielding integrity of the system. Don't operated the system with the cover off and keep "slot covers" in the back of the computer in place. III Use only shielded cable for all system interconnections. A shielded cable surrounds the core of control wires with a metal braid or foil to keep signals confined to that core. In the late seventies it was common to use unshielded cable such as "ribbon" cable to connect the computer with, say, a diskette drive. Unshielded cable acts just like an antenna for signals generated by your computer and peripherals. Most computer manufacturer supply shielded cable for use with their computers in order to meet FCC standards. Cables bought from third-parties are an unknown and should be avoided (unless you are willing to take one apart to see for yourself!) Try to avoid a "rat's nest" of wire and cabling behind your equipment and by keeping all cables as short as possible. You want to reduced the length of unintended antennas and to more easily predict the likely paths of electric and magnetic coupling from cable to cable so that it can be more effectively

filtered. IV Block radiation from the power cord(s) into the house wiring. Most computers have an EMI filter built into their body where the AC line cord enters the power supply. This filter is generally insufficient to prevent substantial re-radiation of EMI voltages back into the power wiring of your house and neighbourhood. To reduce the power retransmitted down the AC power cords of your equipment, plug them in to special EMI filters that are in turn plugged into the wall socket. I use a model 475-3 overvoltage and EMI filter manufactured by Industrial Communication Engineers, Ltd. P.O. Box 18495 Indianapolis, IN 46218-0495 1-800-ICE-COMM ask for their package of free information sheets (AC and other filters mentioned in this note are available from a wide variety of sources including, for example, Radio Shack. I am enthusiastic about ICE because of the "over-designed" quality of their equipment. Standard disclaimers apply.) This particular filter from ICE is specified to reduce retransmission of EMI by a factor of at least 1000 in its high-frequency design range. Although ideally every computer component using an AC line cord ought to be filtered, it is especially important for the monitor and computer CPU to be filtered in this manner as the most useful information available to opponents is believed to come from these sources. V Block retransmitted information from entering your fax/modem or telephone line. Telephone line is generally very poorly shielded. EMI from your computer can be retransmitted directly into the phone line through your modem or can be unintentionally picked up by the magnetic portion of the EMI spectrum through magnetic induction from power supplies or the yoke of your cathode ray tube "CRT" monitor. To prevent direct retransmission, EMI filters are specifically designed for modular telephone jacks to mount at the telephone or modem, and for mounting directly at the service entrance to the house. Sources of well-designed telephone-line filter products include ICE (address above) and K-COM Box 82 Randolph, OH 44265 216-325-2110 Your phone company or telephone manufacturer may be able to supply you with free modular filters, although the design frequencies of these filters may not be high enough to be effective through much of the EMI spectrum of interest. Keep telephone lines away from power supplies of computers or peripherals and the rear of CRTs: the magnetic field often

associated with those device can inductively transfer to unshielded lines just as if the telephone line were directly electrically connected to them. Since this kind of coupling decreases rapidly with distance, this kind of magnetic induction can be virtually eliminated by keeping as much distance (several feet or more) as possible between the power supply/monitor yoke and cabling. VI Use ferrite toroids and split beads to prevent EMI from escaping on surface of your cables.

the

Ferrites are magnetic materials that, for certain ranges of EMI frequencies, attenuate the EMI by causing it to spend itself in heat in the material rather than continuing down the cable. They can be applied without cutting the cable by snapping together a "split bead" form over a thick cable such as a power cord or by threading thinner cable such as telephone several times around the donut-shaped ferrite form. Every cable leaving your monitor, computer, mouse, keyboard, and other computer peripherals should have at least one ferrite core attentuator. Don't forget the telephone lines from your fax, modem, telephone or the unshielded DC power cord to your modem. Ferrites are applied as close to the EMI emitting device as possible so as to afford the least amount of cable that can act as an antenna for the EMI. Good sources for ferrite split beads and toroids include Amidon Associates, Inc. P.O. Box 956 Torrance, CA 90508 310-763-5770 (ask for their free information sheet) Palomar Engineers P.O. Box 462222 Escondido, CA 92046 619-747-3343 (ask for their free RFI information sheet) and Radio Shack. VII Other practical remedies. Other remedies that are somewhat more difficult to correctly apply include providing a good EMI "ground" shield for your computer equipment and other more intrusive filters such as bypass capacitor filters. You probably ought not to think about adding bypass capacitors unless you are familiar with electronic circuits and digital design. While quite effective, added improperly to the motherboard or cabling of a computer they can "smooth out" the square wave digital waveform -- perhaps to the extent that signals are interpreted erroneously causing mysterious "crashes" of your system. In other cases, bypass capacitors can cause unwanted parasitic oscillation on the transistorized output drivers of certain circuits which could damage or destroy those circuits in the computer or peripherals. Also, unlike ferrite toroids, adding capacitors requires actually physically splicing them in or soldering them into circuits. This opens up the

possibility of electric shock, damage to other electronic components or voiding the warranty on the computer equipment. A good EMI ground is difficult to achieve. Unlike an electrical safety ground, such as the third wire in a three-wire AC power system, the EMI ground must operate effectively over a much wider part of the EMI spectrum. This effectiveness is related to a quality known as electrical impedance. You desire to reduce the impedance to as low a value as possible over the entire range of EMI frequencies. Unlike the AC safety ground, important factors in achieving low impedance include having as short a lead from the equipment to a good EMI earth ground as possible (must be just a few feet); the gauge of the connecting lead (the best EMI ground lead is not wire but woven grounding "strap" or wide copper flashing sheets; and the physical coupling of the EMI into the actual earth ground. An 8 ft. copper-plated ground may be fine for AC safety ground, but may present appreciable impedance resistance to an EMI voltage. Much better would be to connect a network of six to eight copper pipes arranged in a sixfoot diameter circle driven in a foot or two into the ground, electrically bonded together with heavy ground strap and connected to the equipment to be grounded via a short (at most, several feet), heavy (at least 3/4-1" wide) ground strap. If you can achieve a good EMI ground, then further shielding possibilities open up for you such as surrounding your monitor and computer equipment in a wire-screen Faraday cage. You want to use mesh rather than solid sheet because you must preserve the free flow of cooling air to your equipment. Buy aluminum (not nylon) screen netting at your local hardware store. This netting typically comes in rolls 36" wide by several feet long. Completely surround your equipment you want to reduce the EMI being careful to make good electrical bonds between the different panels of netting and your good earth ground. I use stainless steel nuts, bolts, and lock washers along with special non-oxidizing electrical paste (available from Electrical contractors supply houses or from ICE) to secure my ground strapping to my net "cages". A good Faraday cage will add several orders of magnitude of EMI attenuation to your system. VIII Checking the effectiveness of your work. It is easy to get a general feeling about the effectiveness of your EMI shielding work with an ordinary portable AM radio. Bring it very close to the body of your computer and its cables in turn. Ideally, you should not hear an increased level of static. If you do hear relatively more at one cable than at another, apply more ferrite split beads or obtain better shielded cable for this component. The practice of determining what kind of operating system code is executing by listening to a nearby AM radio is definitely obsolete for an well-shielded EMI-proof system! To get an idea of the power and scope of your magnetic field emissions, an ordinary compass is quite sensitive in detecting fields. Bring a compass within a few inches of the back of your monitor and see whether it is deflected. Notice that the amount of deflection decreases rapidly with distance. You want to keep cables away from magnetic sources about as far as required not to see an appreciable deflection on the compass. VIIII Summary

If you start with good, shielded equipment that has passed the FCC level B emission standard then you are off to a great start. You may even be able to do even better with stock OEM equipment by specifying "low-emission" monitors that have recently come on the market in response to consumer fears of extremely low frequency ("ELF") and other electromagnetic radiation. Consistently use shielded cables, apply filtering and ferrite toroids to all cabling entering or leaving your computer equipment. Finally, consider a good EMI ground and Faraday cages. Beyond this there are even more effective means of confining the electrical and magnetic components of your system through the use of copper foil adhesive tapes, conductive paint sprays, "mu metal" and other less common components. --------------------------------------------------------------------------The LOD Technical Journal: File #11 of 12 OOOOOOOOOOOOOOOOOOOOOOOOOOO OOOO OOOO [] [] []Presidential Security[] [] [] OOOO By Argon/LOD OOOO OOOOOOOOOOOOOOOOOOOOOOOOOOOOO This phile is intended to give a glimpse into what's behind all those sternfaced, emotionless secret service agents that surround the president and to give analysis into the security surrounding our executive branch. Our current President, or more formally Commander in Chief is as everyone knows is Bill Clinton. Ever since his inauguration he has been under supposedly "tight" security. However, even with up to double the normal security allotment he is still at risk. And the list of would be assassins is large, everyone from Iraqis, Serbians, Islamic fundamentalist militants and if you listen to these conspiracy theories you can throw in the military industrial establishment and heck even the religious right has motive for assassinating the CINC. Which has given rise to millions of dollars worth of hardware and Secret Service payrolls for his protection. 200 agents, personal security teams and body-guards watch our CINC 24 hours a day without rest. What I intend to analyze is the methods of protection utilized by the SS, their weaknesses and how they can be rectified. As the most powerful individual in the world, our president must be safeguarded at all costs, as he is an extremely high profile target. Nothing could give a terrorist group more publicity and recognition that assassinating the American president. Hopefully, the SS can keep this in mind when reading the recommendations suggested later on when they review this journal for their computer crime investigations... Perhaps someone will bring this to the CINC's attention, as for the next 3 odd years the only relevancy of this phile is in ensuring *his* safety. 4 US Presidents have been assassinated in our nation's history so with such a risk of assassination no cost in protection is to high. The huge Whitehouse budget can easily afford to spend more on security and less on bureaucracy. At first glance, a Presidential assassination seems very simple. After all, he's in front of the cameras up to 2 hours each day and its's no secret where to find him, just stroll over to 1600 Pennsylvania Av. The Whitehouse doesn't

appear to be well defended, the windows aren't sandbagged, there is no barbed wire, electrified fence, guard towers, minefields or even a solid wall. Just a fragile and cosmetic black gate fence. This first impression is entirely incorrect. The Whitehouse is ringed in other tall buildings, giving SS sharpshooters an excellent position to fire from. Behind all the stonework they have a superb spot to cover the Whitehouse with. And the uncluttered Whitehouse lawn gives them a clear field of fire. Anyone stupid enough to simply scale the fence, or ram through it would be cut down in a hail of fire before making it halfway across the lawn. Coming from those perched in the surrounding buildings, and the agents inside the whitehouse. The sharpshooters posted to presidential security are simply the best at what they do. They don't "miss". Perhaps the most effective route for a terrorist to take would be to attack the President while he's airborne in either a helicopter or airplane (in this case Air Force 1). Here the President is certainly at his most vulnerable. Infrared (IR) guided surface to air missiles (SAMs) such as the Russian SA-7 or newer SA-14, or the US Stinger could be used with deadly effect to shoot down the aircraft. All aircraft the President travels in are equipped with IR jammers such as the ALQ-144, which send out hotter heat waves than the aircraft does in different directions from a small pylon shaped group of lenses. Presently most missiles are not advanced enough to pick out the aircraft from all the other false directed heat. Non IR guided systems can be utilized though. The British Shorts Blowpipe or Javelin however are optically guided, by means of a joystick and monocular sight. So IR jamming is useless. The only way to really avoid them is to silence the person guiding it. And these are not too difficult to obtain, they have already been used by the Afgan rebels. So obtaining these and other SAMs is relatively easy, as they are found in many of the world's hotspots for the right price. There is no effective safeguard in place by the SS to protect the Presidents aircraft from an optically guided SAM. Even if a terrorist has no access to a SAM aerial assassinations are still possible. A small "Cessna" like aircraft could simply be used in a "Kamikaze" like role by colliding midair at high-speed with the president's helicopter. Given the superior speed of a fixed wing aircraft the helicopter pilot would have to be highly skilled to avoid it. Presidential pilots are trained in such avoidance techniques but whether they could dodge one in practise is unclear. The Soviets used to have a phobia about helicopters because of their low speed and high vulnerability to SAM's, ground fire and aircraft. Consequently Secretary Generals and high ranking officials never flew by helicopter. The President should likewise cease travel by helicopter as well. Conventional fixed wing flights are much safer. Only during takeoff and landing is the President vulnerable, and then only to SAM's. Groundfire is ineffective against large body aircraft and with greater speed and size the risk from "Kamikaze" style attacks is reduced. Fighter cover, usually from F-14's is occasionally provided so any hostile aircraft (such as a Kamikaze Cessna) wouldn't stand a chance. As Air Force 1 moves at slow speeds during landings or is slowly accelerating off the ground during takeoff's there is an *alarming* threat from SAM's. Slow moving giants like Air Force 1, are turkey shoots for agile, supersonic man-portable SAM's. When taking off or landing at a public airport an assassin has many places to make a hidden lanching from. With a range of over 2 Km, Air Force 1 is vulnerable for a *long* period of time. As it climbs, it has no speed or room to manoeuvre. Even if it could, commercial airliners are not known for their agility. The only hope then is through IR jamming, electronic jamming, chaff or flares. Since the assassin knows the runway position, he knows the direction of where Air Force

1 must takeoff or land from. There would be less than 15 seconds before launch and impact. The launch-warning beeper aboard Air Force 1 would only just be recognized before Air Force 1 would be blown from the sky. To reduce this risk, the President should takeoff and land from well-secured, isolated military airfields when travelling domestically and internationally and stick as much to ground transport as possible. By using secret travel plans (such as which airport he will arrive at in New York for example) an assassin won't know which airport to cover. After all the public doesn't need to know the Presidents air travel itinerary. Another policy used by the SS is to keep the specific details of the Presidents movements secret. Everyone knows when the president will be giving a speech, but the exact times are always classified. Which complicates the assassins operation, as careful planning in advance is required. Whenever the president's exact location has been made known in advance, security is always *tight*. For example during the State of the Union address the entire vicinity is sealed off. However security during these events and regular operations must be increased. One threat is from anti tank guided weapons (ATGWs). Optically guided along a thin wire for in-flight corrections they have a range up to 3 Km. Or from bigger air or ground launched missiles such as the Maverick. An assassin could fire from the other side of DC, into the stands during the inauguration ceremony for example. Not only the President would be eliminated but so to would all the supreme court justices, the former President and Vice-President, the new Vice-President - the whole government. The same applies when the President addresses a joint session of congress. Using guided weapons, an aircraft or even an improvised nuclear device (IND) the *entire* judicial, legislative and executive branches of the US government would be eliminated! Such a congregation of VIP's is a flawed idea from the start. Tradition should give way to reason and smaller events should replace them. Celebrating democracy is great but to risk the entire US government? So far only advanced methods of assassination have been examined. The possibility of a "lone gunman" using basic methods, with no more than personal weapons still remains. Take for example, the president giving an address to university graduates. It would take less than 2 seconds, for an assassin to remove his hand from an undercoat, clenching a firearm to aim and fire one round. Against this it takes a minimum of one second for the SS agents to react to the initial movement of the assassin's hand, one second to draw their weapons and another two to aim and fire. The president could be dead before the SS had finished aiming. Of course in some cases audiences are searched with metal detectors for weapons. It doesn't take a genius to smuggle in a small handgun into an audience of a few thousand though. The only option here is to reduce or eliminate public appearances by the President. But as the President would no doubt insist on being visible and open for all the cameras it isn't likely. Better checking of the site beforehand and on audiences is necessary then. A similar situation exists with say, the motorcade on inauguration day, where the President often leaves the car to walk alongside it. Here the SS is out in great force with rifles trained and ready. But we are back to our fundamental disadvantage. The assassin will always have at least a 1-2 second jump on the SS. As was mentioned before, by moving towards ground transportation instead of air the President is much safer. As you might already know the President

travels in a "bullet proof" custom built vehicle. It goes everywhere that he does. When he goes to Russia, so does the car. The car's armour will stop small arms fire (ie. handguns, automatic weapons, rifles etc.) However, fire from a crew served 12.5mm gun will penetrate it. Since a gun of this size is to large and bulky to be concealed from a hundred odd SS agents it's not a worry. Remotely fired ATGW's or pre-positioned explosives are. Pre-positioned explosives won't work as the president's exact route is usually classified. When it's not secret, like on inauguration day or a parade, the route will have been carefully combed over a dozen times for explosives. And the manhole covers welded shut to prevent anyone from placing explosives beneath the road. The bullet-proof car however isn't ATGW-proof. Their shaped charges are designed for penetrating main battle tanks (MBTs) with frontal armour a foot thick. It would be best for our president to travel in a modified M1A1 Abrams MBT. Some ATGW's may be able to penetrate its rear or perhaps side armour but no existing ATGW's will penetrate its frontal armour. As its made of topsecret "cobham" plating which is several times stronger than an equivalent amount of traditional steel. Most assassinations are not done through the use of violent force. They are more subtly done using poison for example. Whitehouse security around the president's food is almost non-existent. Even if the food was "checked", ie. some bloke eats portions of it first and is watched for sickness, it could never reduce the risk poised by long term or delayed acting poisons. What should be done then? The President should appoint an agent to go out and randomly purchase food from restaurants and keep it under guard. This way no one will know which food to poison. A simpler method is to infect one's hand with it (after consuming an antidote), and then shake the president's hand, transferring the poison to him. Saddam Hussein, has a solution to this - the hands of visitors are disinfected prior to meeting the dictator. Airborne bacteria could be let loose near the president to cause infection too. Perhaps the Whitehouse should have its own sealed environment to guard against this. Our president is as stated earlier in much peril. It's only a matter of time before a group or faction builds up the nerve to attempt an assassination. When they do, enough loopholes in the security arrangement today exist for success. By acknowledging and acting upon some of the recommendations made here, the global disruption that would result from an assassination or attempt of one can be prevented. At the very least the president must cease travelling by helicopters, increase security at public appearances and guard against poisons. To give our president the security that is truly justified by his important role, the president must keep appearances to a minimum, reduce the number of officials at major ceremonies and consider travelling by armoured vehicle to avoid the dangers poised by ATGW's or RPG's. --------------------------------------------------------------------------The LOD Technical Journal: File #12 of 12 Network News & Notes =------------------= If some of this seems a little "old", do keep in mind that everything since '90 has to be covered. As most of the other 'ZiNeZ are narrowly focused on major publications and miss out on current events in the industry and a lot of other interesting news. ---------------------------------------------------------------------------

DCS Comes to Russia (Tellabs, April 1993) A Tellabs TITAN 532E digital cross-connect system (DCS) and 452 series transcoders have been installed by Moscow Cellular Company, a joint venture that includes US West and Moscow public telephone network operators, to boost capacity in its cellular transmission network. The DCS, which is the first to be installed in Russia, increases the capacity of the Moscow mobile switching centre (MSC) by "grooming and filling" partially-filled 2 Mbit/s PCM links from radio base stations. The 452 60channel transcoders are used to double the capacity of 2 Mbit/s PCM transmission links between base stations and the MSC. ---------------------------------------------------------------------------UK Renumbering (BT, April 1993) A campaign to prepare its customers for changes to national and international dialing codes was launched by British Telecom (BT) on 1 February 1993. The changes announced last year by the Office of Telecommunications (OFTEL), will take place on 16 April 1995, more than two years hence. BT is starting its publicity campaign now, however, so that everyone will be ready. The changes follow extensive and lengthy consultation by OFTEL with representatives of telephone users, operators and equipment manufacturers. The creation involves the additional codes and numbers needed to cater for the growth of the telecom services well into the next century, provide capacity for new operators entering the market. Area dialing codes will have a "1" inserted after the initial "0". For example Cardiff's 0222 becomes 01222 and Central London will change from 071 to 0171. The international dialing code changes from 010 to 00. This is a European Community requirement based on CCITT Recommendation E. 160. Five cites will be given completely new codes and their existing six-digit local number will be increased to seven digits. Codes which do not denote a geographic area, for example Freefone 0800 numbers, mobile codes such as 0860 and 0850, and information and entertainment services on a code such as 0891 will not change. ----------------------------------------------------------------------------BT checks into the Holiday Inn (BT, April 1993) The Holiday Inn hotel chain with more than 1700 hotels in 54 countries, has signed a 2-million pound sterling three-year contract for BT's global network services. Under the contract, BT will provide Holiday Inn with a tailor-made data network which will connect the company's hotels in the Asia-Pacific region with its headquarters in the US. One of the main applications of the network will be to run the chain's Holidex hotel computer reservation system. Initially, the service will be available in five countries - Hongkong, Singapore, Japan, Australia and the US. Eventually, the network will be extended to cover 99 sties in 27 countries in the Asia-Pacific region, the Middle East, Africa and the US.

----------------------------------------------------------------------------Trunk Protection for Telefonica (Telecommunications radioelectriques et telephoniques (TRT), March, 1993) Philips Telecommunications the Spanish subsidiary of Philips, has started to deliver the DCN 212 1+1 switching protection systems to Telefonica. The equipment will be integrated into the Ibermic network to improve 2-Mbit/s trunk protection and quality in the national and international links. The systems ordered by the Dedicated Networks Department will be implemented in the Iberian Peninsula, in the Balearic and Canary Islands. One DCN 212 system can permanently supervise 12 independent 2-Mbit/s links. Its cyclic redundancy checking (CRC4) device enables it to perform an automatic switch-over between the main and standby links. This not only allows service to be maintained in the event of link failure but also provides and improvement of the link performance. DCN 212 is manufactured in France by TRT. ----------------------------------------------------------------------------Nokia DX200 system for Malaysia (Nokia, March 1993) Nokia will delivers its DX200 digital switching system to Malaysia. A fiveyear frame agreement signed with Jabatan Telekom Malaysia calls for the installation of some 800,000 subscriber lines. The total value of the project, which also includes installation, commissioning and training is estimated at more than 700 million Finnish marks. The project will be implemented by Sapura-Nokia Telecommunications. Development of the telecom infrastructure has been designated as one of the highest priorities in Malaysia. the goal is to provide, by the year 2000, for universal access to the telecom services and to develop a Malaysian telecom industrial base. The current agreement is part of a plan that calls for the installation of some 4 million subscriber lines during the next five years. As part of the switching project, Sapura is establishing the DX200 subscriber line cards. With the Telekom Malaysia order, Nokia's DX200 system is now installed or on order in more than 20 countries. ----------------------------------------------------------------------------Polish Mobile Radio (Ericsson, March 1986) Poland has signed a contract with Ericsson for the delivery and implementation for a new mobile radio system. The order has, in its initial phase, a value of 16.5 million US. The system, known as EDACS, belongs to the new generation of digital trunked radiocom systems. It will be shared by the Polish police and fire brigade operating in the Warsaw police district, providing day-to-day instant communication between individuals and work groups in the field. the system includes more than 3000 handheld and mobile radios. EDACS, which will be installed in Warsaw during the second half of 1993, has digital encrypted voice, mobile data transmission capability, emergency call facility, WAN and fault-tolerant design. ----------------------------------------------------------------------------BT's DMS SuperNode 300 (BT, March 1993)

NT has installed what is said to be the world's largest international gateway in Madley for BT. The digital multiplex system (DMS) SuperNode 300 is the first of BT's international gateways to have fully integrated ISDN capability. The DMS SuperNode 300 has capacity for 45,000 ports. The switch's capacity to handle an extremely high volume of calls through its SuperNode central processing complex is further enhanced by its "non-blocking" matrix network architecture (ENET). This architecture guarantees each individual cell access to an international route, thereby reducing the incidence of call failures resulting from congestion in the exchange. ----------------------------------------------------------------------------Taiwan's Fortress Fones (Telecommunication Journal, March 1993) Taiwan has ordered a further 5000 optical card payphones from Landis & Gyr Communications, bringing the total to 27,500. Eight million optical coded phonecards will also be delivered. Landis & Gyr's Communications Division has now supplied more than 1 million payphones and 350 million phonecards to 65 countries. ----------------------------------------------------------------------------Swedish SDH (Telecommunication Journal, February 1993) Swedish Telecom is building a complete transport network based on synchronous digital hierarchy (SDH) and has signed an agreement with Marconi SpA and Ericsson Telecom AB about the supply of equipment for the new network, including transmission and cross-connect equipment based on SDH technology. In addition, Ericsson will deliver a management system serving all equipment in the network. Among the first parts of the network to be equipped is the "triangle" Stockholm-Goteborg-Malmo. The transmission equipment on these routes will have a capacity of 30,000 simultaneous telephone calls; the transmission capacity is 2.5 Gbit/s per fiber pair, which is the highest capacity available on the market today. Over the next few years, the deployment of SDH will mainly meet the needs imposed by traffic growth. SDH will be introduced in the national longdistance network, in the regional parts of the network and in the local network, the ultimate goal being a country-wide SDH network. ----------------------------------------------------------------------------Italian GSM network (Ericsson, Feb. 1993) Societa italiana per l'Esericzio delle Tleecomunicazioni pa (SIP), the operator of the Italian mobile phone network, has inaugurated its new GSM digital cellular network which is now on line in all of Italy's major cities. It will subsequently be extended throughout the country. Italy has grown faster in mobile telephony than any other country in Europe since SIP launched its analog total access communication system (TACS) in April 1990. SIP is now one of Europe's three largest telephone systems operators, with more than 700,000 subscribers. The Ericsson Fatme-Italtel consortium is the general supplier of both the TACS network and all exchanges and base stations controllers in the Italian GSM network. The consortium is also supplying 75% of the GSM radio base

stations. ----------------------------------------------------------------------------NT Introduces CT2 Fone (NT, Feb. 1993) NT has introduced in Hongkong its Companion wireless communications system, which uses the widely accepted CT2 common air interface (CT2 CAI) radio standard. This is the first phase of a worldwide introduction of the product which in 1993 will include other locations in the Pacific Rim, as well as the US, Canada, Europe, the Caribbean and Latin America. The Companion system, uses portable, personal telephones that fit into a pocket or purse freeing people to move about as the work. It is available as an enhancement to an existing business telephone system or as a stand-alone system. More than 1 million US in orders for the product have been received in the Hongkong area where the system operates in the 864-868 MHz frequency range. ----------------------------------------------------------------------------Lossless 4 X 4 switch (Ericsson, Feb. 1993) Ericsson recently developed what it claims to be the first "lossless" monolithic optical 4 X 4 space switch, ie. a switch that does not attenuate a switched signal, a major problem with previous monolithic optical switches. Optical space switches of this type are key components in the future broadband transport network. The experimental indium phosphide (InP) switch chip comprises 24 integrated optical amplifiers and can be connected to four input and four output optical single mode fibres. ----------------------------------------------------------------------------BT Launches SuperJANET (BT, Feb. 1993) SuperJANET, a new high-speed fiber optic network to be provided by BT, will link computer systems in universities and polytechnics in the UK. BT has been awarded the contract for the network by the Information Systems Committee (ISC) of the University Funding Council (UFC). Under the contract, BT will collaborate with the Science and Engineering Research Council/Universities Funding Council (SERC/UFC) Joint Network Team to design and implement the new network, to be called SuperJANET (joint academic network). It will augment the existing private JANET network created during the early 80s. SuperJANET will be able to transmit information up to 100,000 times faster than the standard telephone network, with the initial phase of the project linking sites as the Cambridge and Manchester universities, Rutherford Appleton Laboratory, University College London, Imperial College London and Edinburgh University. The core network will use a mix of PDH and SDH high performance optical fibre technologies and pilot phase will be established in March 1993. The new network will cover a range of transmission speeds, initially from 34 through to 140 Mbit/s. ----------------------------------------------------------------------------Swiss ISDN (Telecommunication Journal, January 1993)

SwissNet 2, the second phase in Switzerland's ISDN, is now in service. It offers narrow-band ISDN capable of transmitting at higher speeds and at reduced tariffs data, images and conversations which until now had to be routed over separate networks. Up to eight terminals, of which two can be used simultaneously, can be connected to the basic ISDN line thus allowing the transmission of images or data at the same time as a telephone conversation is taking place. Another important advantage is the possibility of using Group 5 telefax which has a transmission speed of up to ten times that of Group 3. In addition to the transmission service, various supplementary services such as multiple subscriber number, calling-line identification, call waiting, call forwarding, are available at no extra charge whilst other optional services such as direct dialing-in, closed user groups and outgoing call barring can be obtained against payment. Monthly charges are 50 Swiss francs (CHF) for a basic connection of two Bchannels at 64 kbit/s and one D-channel at 16 kbit/s and 500 CHF for a primary connection of 30 B-channels at 64 kbit/s and one D-channel at 64 kbit/s. Installation charges for the two types of connection are respectively 200 and 400 CHF. Communication charges will be made up of three elements representing the costs of call set-up, call preparation and interruption, and call duration. SwissNet 2 conforms to the CCITT Blue Book Recommendations and can therefore connect to other ISDNs conforming to international standards. ----------------------------------------------------------------------------NT's SDH in Russia (Telecommunication Journal, January 1993) MACOMNET, a new company set up as a joint venture between the Andrew Corporation and the Moscow Metro, has awarded a 840,000 US contract to NT for synchronous digital hierarchy transmission equipment. MACOMNET will use the metro infrastructure to permit the rapid establishment of a fiber-optic network in key areas of Moscow. Operating as a "carrier's carrier", it will provide a high-quality, highly reliable managed digital transport service beginning in spring 1993. Initially it will provide E1 (2 Mbit/s) circuits to other operators and private customers in Moscow. ----------------------------------------------------------------------------Cantat-3 direct links to Eastern Europe (Telecommunication Journal, January 1993) Teleglobe Canada Inc. has formed a consortium with 20 European and United States carriers to lay a 385 million US high-capacity fibre-optic cable linking North America with Western and Eastern Europe. NT's STC Submarine Systems has been chosen as sole supplier of Cantat-3. When completed in 1994, this first direct fibre-optic link between Canada and Europe will provide multi-media communication services of greater speed and capacity than ever before. The new cable will be the first of its kind to operate to the new international SDH transmission standards and the first at a transmission speed of 2.5 Gbit/s, offering an unprecedented 30,000 circuits per fibre pair. Cantat-3 will be the largest direct link from North America to Germany, Scandinavia and the UK. It will link directly with the Denmark-Russia and

planned Denmark-Poland cables. An overland link though Germany will give entrance to the heard of Eastern Europe. ----------------------------------------------------------------------------Fibre-optics Under the Pacific (MCI, January 1993) MCI International, Inc., together with 46 international telecom carriers, has announced the signing of a construction and maintenance agreement for TPC-5, the first undersea fibre-optic network in the Pacific. The 25,000 km fibre optic system interconnects the US mainland at Oregon and California, extends out to Hawaii, Guam and Miyazaki and Ninomiya in Japan, and then stretches back to the US to complete the loop. The network segments between California, Hawaii, Guam, and Miyazaki will be in service by late 1995. The entire TPC-5 network will be completed by late 1996. The system can transmit up to 5 Gbit/s per fibre par which is equivalent to 60,480 simultaneous conversations. Once completed the 1.3 billion US network will provide instantaneous restoration by shifting voice, data and video signals to a spare fibre on the network. In the unlikely event that a break occurs somewhere along the cable route, the network's loop configuration ensures instant restoration by re-routing signals. ----------------------------------------------------------------------------NT Announces Contracts (Telecommunication Journal, January 1993) NT has announced several contracts for its Meridian ISDN network. The Greek national airline, Olympic Airways, has purchased a 6000 line network that will provide specialized business communication services for employees and customers at its major locations. Kuwait Oil Company has ordered an 8000 line ISDN valued at over 3 million US to restore, modernize and expand the company's private communications network. The five millionth line of Meridian digital centrex was shipped to the US market to Centel's network in Florida. NT will also be installing a country-wide network for the Security Directorate of Jordan. The network of 78 Meridian SL-1 PBX systems is the largest private network in Jordan and links most of the police centres, providing voice and data communications across the country. ----------------------------------------------------------------------------Croatia Orders AXE (Telecommunication Journal, January 1993) The Croatian Post and Telecommunication (HPT) has awarded Ericsson a contract for the delivery of four international telephone exchanges for Croatia. The AXE exchanges will be installed in the cities of Zagreb, Rijeka, Split and Osijek. They will be delivered from Sweden and from Nikola Tesla in Zagreb. ----------------------------------------------------------------------------911 Enhanced (AT&T Technology, v.7 no.3) AT&T Network Systems introduced software and equipment that will allow local telephone companies and other network providers to furnish enhanced 911 emergency calling services to more people nationwide.

Seven new products range from enhancements to AT&T's 5ESS Switch to PC-Based systems that can pinpoint the location of a person calling to report an emergency. The new software and equipment includes: + 5ESS Switch enhancements, allowing it to support standard E911 features such as call routing, and to work with analog answering point equipment in public and private networks, ISDN answering point equipment in private networks. + Automatic Location Identification/Database Management System (ALI/DMS) hardware and software. This matches callers' phone numbers with addresses and provides this information to attendants as they answer calls. + The Alive Database System. This PC-base system provides detailed descriptions of the 911 caller's location. Public Safety Answering Point Equipment receives the incoming calling number and location information from the local database and displays it to answering point attendants. + Intelligent Public Safety Answering Point Display shows the 911 caller's number and location along with call-transfer information on a single computer screen. + Computer-Aided Dispatch System helps make decisions on which police cars, ambulances, or fire trucks to send to an emergency, to find where these vehicles are located at the time of the call, and to determine the fastest way to get them to the emergency site. + An ISDN Public Safety Answering Point System connects to the telephone network over ISDN Basic Rate Interface (BRI) channels. The system is available now to private-network customers such as universities, military bases, large businesses and airports, and will be available for communities as ISDN becomes more widely deployed. ----------------------------------------------------------------------------First BNS-2000 Delivered (AT&T Technology v.7, no.3) PacBell and GTE recently accepted delivery of AT&T Network System's first BNS-2000 broadband networking switches and began installing them to facilitate their Switched Multimegabit Data Services (SMDS) offerings scheduled to begin in September. These are the first BNS-2000 switches to be installed in the PSTN. The BNS2000 Switch is fast-packet cell-relay system which uses ATM (asynchronous transfer mode) cells designed for broadband ISDN applications. PacBell will install a BNS-2000 Switch in its Los Angeles service area and is scheduled to initiate SMDS in Los Angeles, San Francisco, Anaheim, and Sacramento in September. Similarly, GTE will install its BNS-2000 in Long Beach, California, and plans to initially offer SMDS, which the company calls MegaConnect, in the Los Angeles area, also in September. Next year, GTE plans to extend MegaConnect to Seattle and Everett, Washington; Beaverton and Portland, Oregon; Raleigh-Durham, North Carolina; Tampa, Florida and Honolulu, Hawaii. Up to now, telephone companies had been using early models of the BNS-2000 to test market SMDS. In one such test, PacBell and GTE interconnected Rockwell

International Corporation's LANs between its Canoga Park office (served by PacBell) and its Seal Beach Facility (served by GTE). The differentiator of the BNS-2000 remains its ability t let our customers, like PacBell and GTE, start SMDS frame relay services now and evolve easily to additional ATM-based BISDN services. ----------------------------------------------------------------------------Russia's Big Steel Buys AT&T PBX (AT&T Technology v.8 no.1) One of the world's largest steel manufacturing facilities, Magnitogorsk Metallurgical Works, has signed an agreement to purchase an AT&T DIFINITY Communications System, replacing its 1930s-vintage telephone system. The new PBX will provide advanced communications to the more than 60,000 employees in several buildings on the company's campus. The first phase of the $5 million project-installation of a 4,000 line DEFINITY G3R will be completed later this year. AT&T made the sale with NPO Chermetavtomatika, the Russia-based distributor for AT&T business communications systems. The company, located on the Ural River, was built with American assistance and technology, and supplied much of the armament and tanks used during World War II. Today, the multiplebuilding campus includes a hospital and a farm, used to grow agricultural products for the town's residents. Magnitogorsk is a major exporter of steel products to companies around the world. It had been using several key systems, as well as two large step-bystep systems, similar to those in US telephone company COs during the 1930s. Maintenance had become increasingly difficult, and it needed an advanced communications system that would enable it to communicate efficiently internally and with its customers. According to AT&T, Magnitogorsk selected the DEFINITY system based on the technology and its capacity to handle the huge company's communications needs, coupled with the distributor's responsiveness and level of knowledge. The DEFINITY system's distributed architecture makes it possible for a single system to handle the communications needs of the entire complex. Campus buildings will be connected via remote modules, and the cable linking the modules will run through existing steam tunnels. ----------------------------------------------------------------------------Fast Switch for ATM Service (AT&T Technology v.8, no. 1) Service providers can now offer their customers end-to-end Asynchronous Transfer Mode (ATM) Services using AT&T Network Systems new GCNS-2000 datanetworking switch. The GCNS-2000 switch will support 20 gigabits per second of switching capacity, allowing the high-speed, sophisticated applications of ATM to be brought to the PSTN. The GCNS-2000 also will become the core switching vehicle for AT&T's InterSpan ATM Services. Using an ATM network (Also called broadband), for example executives could participate in a multilocation multimedia conference call, while exchanging documents and images. Medical specialists in different hospitals could concurrently review a patient's X-ray or CAT scan. And customers everywhere could select a movie to watch at any time. The new switch is part of Network Systems' data networking switching product line, which includes the BNS-2000 fast-packet cell-relay system. This switch

is deployed by various phone companies in the US and other countries in support of their frame-relay networks and switched multimegabit data service offerings. The GCNS-2000 uses a new core ATM technology, developed by AT&T Bell Laboratories, a key feature of which is the "shared memory fabric". This allows the equipment to accommodate simultaneously the distinct and different natures of voice, data and video transmission, so that all types of signals can be processed at once. The switch will be available on a limited basis at the end of 1993, and generally available six months later. ----------------------------------------------------------------------------Wireless 5ESS Switch Gets New Capabilities (AT&T Technology v.8, no.1) The 5ESS Switch for the AUTOPLEX System 1000 will now support AMPS standards all over the world, and the Global System for Mobile Communications standard. While the new switch will, at first, provide the same features and services now available on the AUTOPLEX System 1000 Switch, it will eventually become a platform for ISDN and advanced intelligent network applications. The 5ESS Switch with wireless capability represents a new, cost-effective growth option for AUTOPLEX System networks. Future versions of the switch for the AUTOPLEX System will make it possible to have analog and digital AMPS, as well as POTS on the same switch. Switch availability is scheduled for mid1994. ----------------------------------------------------------------------------800 Service Recognizes Speech (AT&T Technology v.8, no.1) AT&T recently announced an innovative 800 Service feature that makes it easier for all callers, including the 39% of US homes and businesses with rotary and non-touch-tone telephone to obtain information from businesses by simply speaking. Called AT&T 800 Speech Recognition, this new capability enables callers to verbally respond to announcement that allow them to automatically select the information or assistance they want. AT&T is the first long-distance company to provide voice-activated call routing in an 800 service network. Past technology only enabled callers using touch-tone telephones to direct their calls after responding to menu prompts with their keypads. Now, these callers can route their own calls quickly and efficiently by simply speaking their choice. And for the first time, callers with rotary telephones will be able to enjoy the same benefits as callers with touchtone phones. AT&T Speech Recognition is a network-based, advanced 800 Service innovation that prompts callers to speak a number - from "one" to "nine" - corresponding to a menu of options that identifies the department or location they wish to reach within the company they're calling. Supported by state-of-the-art technology from AT&T Bell Laboratories, AT&T Speech Recognition is able to recognize the spoken number, process the information, and route the call through the AT&T network to the appropriate destination. During field tests, AT&T Speech Recognition correctly identified the spoken number 97.8 percent of the time. this high completion rate was achieved even taking into account the many dialects and accents that exist across the US. AT&T Speech Recognition represents the latest step in AT&T's drive to provide its customers with complete automated transaction processing. Eventually, the capability to recognize more advanced words and entire phrases will make it

possible for AT&T 800 Service customers to process orders, dispatch repair crews, provide account information, or handle countless other functions in a fully automated, cost-effective way, if they so desire. ----------------------------------------------------------------------------Amplifier, Vector Attenuator for Wireless Applications (AT&T Technology, v.8, no.1) AT&T Microelectronics recently expanded its wireless applications technology with two high-performance, high reliability thin-film-on-ceramic devices for cellular base stations. The components are the GSM Low Noise Amplifier, an unconditionally stable amplifier designed for Global System for Mobile Communications (GSM) cellular base station receivers, and the 1098E Complex Vector Attenuator, a surface mount device that enables designers to build sophisticated signal cancellation systems into base station transmit amplifiers. The GSM low-noise amplifier is a balanced amplifier design. It operates in the 890- to 915- MHz frequency range and exhibits exceptionally low noise (1.3 dB maximum) and high third order intercept (38 dBm) with a 32 dB small signal gain, operating on a single 24 volt DC supply. While the device is tailored for the GSM band, it provides similar performance in the 824- to 849-MHz AMPS band. The key benefit to the designer is the device's unconditional stability, a characteristic important to eliminating oscillation. Due to its thin-film-onceramic implementation, the device also provides, for a given bias condition lower junction temperatures and therefore longer life and increased system reliability than a PWB realization. The 1098E Complex Vector Attenuator is functionally equivalent to the combination of an endless phase shifter and an attenuator. It is used to control the phase and amplitude of a signal without introducing intermodulation distortion, dispersion, or variation in group delay. In addition, there's no limitation on phase change, which can increase or decrease continuously without reaching an endpoint. Production quantities of the GSM low-noise amplifier will be available this fall, while the 1098E Complex Vector Attenuator is currently available in 124 PIN PQFP packaging. Pricing details and product literature are available from the AT&T Microelectronics Customer Response Center, 1-800-372-2447 Ext. 869 (In Canada, 1-800-553-2448, Ext. 869); fax 215-778-410 or by writing to AT&T Microelectronics, Dept. AL500404200. 555 Union Boulevard, Allentown, PA. 18103. ----------------------------------------------------------------------------Frame Relay Service (AT&T Technology, v.8, no.1) AT&T InterSpan Frame Relay Service will now be offered to customers in Canada (subject to CRTC approval) through Unitel Communications Inc., and in 9 additional European countries through AT&T ISTEL. Beginning in July 1993, the service will be offered in controlled introduction to customers in Canada, Ireland, Austria, Portugal, Switzerland, Denmark, Italy, Luxembourg, Finland and Norway, with general availability later in the third quarter of 1993. AT&T InterSpan Frame Relay Service will provide the same seamless global interconnectivity and high reliability currently enjoyed by InterSpan Frame

Relay customers in the US, UK, Spain, France, Belgium, The Netherlands, Germany and Sweden. AT&T provides its InterSpan Frame Relay Service over a common worldwide architecture that enables seamless global service with fast, reliable connectivity. As a result of this standards-based architecture, InterSpan Frame Relay Service provides a wise array of global features including network management and enhanced permanent virtual circuits for extended bursts. InterSpan Frame Relay Service provides a number of value-added features that are of critical importance to multi-national customers today. For example, the service provides a single point of contact for installation and maintenance of InterSpan Frame Relay Service, access and customer premises routers. Billing for InterSpan Frame Relay Service and associated local access is combined into a single bill. In one currency of the customer's choice - US dollars, UK pounds or sterling or Canadian dollars - rendered in the country of choice. In addition, protocol conversion embedded in the network will provide interoperability between InterSpsan Frame Relay Service and emerging InterSpan Asynchronous Transfer Mode (ATM) services to allow migration to ATM as the customers' business needs dictate. Dedicated InterSpan Frame Relay Service Network Operations Centres in North American and Europe monitor and manage the InterSpan Frame Relay Network around the globe, around the clock. ----------------------------------------------------------------------------Modernization Milestone for Ukraine's Telecom (AT&T Technology, v.8, no. 1) UTEL, Ukraine's telecommunications joint venture responsible for the modernization of the long-distance telecommunications network, recently inaugurated its first all-digital long distance telephone switch in L'viv. The 5ESS Switch, supplied by AT&T Network Systems International, was officially put into service with a ceremonial inaugural call between the Minister of Communications of Ukraine, Oleh Prozhyvalsky, in L'viv and Victor A. Pelson, AT&T Group Executive, Communications Services in NJ. With the new 5ESS Switch, most citizens n L'viv can now make direct international calls to many countries in the world. International connections are completed via an earth station located in Zolochive, which in turn is connected to an international switching center in Kiev, Ukraine. Just four months ago, international calls from Ukraine were possible only via their services of Moscow's telephone operators; on average, outgoing calls required 24 hour's advance notice. The 5ESS Switch in L'viv includes 4,000 trunk lines and 1,000 subscriber lines and is the latest generation of telecom equipment utilizing digital technology to connect voice, data and image messages. UTEL recently signed an agreement to purchase six additional 5ESS switching systems for Ukraine. Final assembly of these switches will take place locally in Ukraine at the Chernighiv Zavod Radioaparatur (Chezara) production plant in Chernigiv. Following L'viv, the next switches are scheduled to be installed in Chernivtsi, Uzhorod, Poltava, Luhansk and Kirovohrad, doubling today's capacity. ----------------------------------------------------------------------------XUNET (AT&T Technology, v.8, no.1) XUNET: Today's Experiments Define Tomorrow's Reality The Experimental University Network - XUNET - will soon carry 622-Mb/s traffic

A high-speed experimental network is giving researchers and graduate students an opportunity to explore issues important to the future of data communications. The Experimental University Network (XUNET) now consists of experimental switches, based on the Asynchronos Transfer Mode (ATM) standard, linked by 45 megabit-per-second (Mb/s) transmission lines. Host computers on fiber-distributes data interface LANs communicate over XUNET via routers between the LAN and the ATM backbone. In a few months, AT&T, the University of Wisconsin at Madison, and the University of Illinois at Urbana-Champaign will begin to communicate over experimental links at 622 Mb/s. With the higher-speed links and a higher-performance Peripheral Interface LAN, a user in a remote location will be able to display the output of a supercomputer simulation on his or here workstation in real time. While the XUNET testbed is small, the research program seeks to understand the problems of a large high-speed data networks. With existing wide-area data networks, most users communicate at speeds of 1.5 Mb/s or less. Research on XUNET anticipates that users will interface at speeds up to hundreds of Mb/s. With higher speeds comes the potential for new applications such as full-motion video, multimedia conferencing, and distributed computing all over the public network. The XUNET testbed, which is supported by AT&T Data Communications Services, is also the basis for BLANCA, one of five gigabit testbed networks sponsored by the Corporation for National Research Initiatives. TESTBED EVOLUTION The program began with XUNET I in 1986 as a collaboration among AT&T, the University of California at Berkeley, the University of Illinois, and the University of Wisconsin. The universities were linked with AT&T Bell Laboratories using DATKIT VCS switches and transmission links used ACCUNET T1.5 Services at 1.5 Mb/s. Students at the universities have a change to try ideas out first hand by using XUNET as a research tool in running controlled network experiments. For example, students can remotely download different algorithms into the XUNET switches to study the effect on a heavily loaded network. XUNET II became operational in January 1992, offering a thirty-fold increase in speed over XUNET I by using experimental ATM switches and transmission lines operating at 45 Mb/s. In addition to AT&T and the universities Pacific Bell and Bell Atlantic are involved in the XUNET II activity. In July 1992, Sandia National Laboratories and Lawrence Livermore Laboratories were linked into the XUNET testbed, and in February 1993 Rutgers University joined. In addition, students from the University of Pennsylvania and Columbia University participate in the XUNET program, and students from the universities have been invited to AT&T Bell Laboratories at Murray Hill to work with researchers there. XUNET III, the first portion of which is scheduled for operation this June, will be more than an order of magnitude faster than XUNET III. A 622 Mb/s link will connect XUNET switches at an AT&T Chicago CO, the University of Wisconsin, and the University of Illinois. RESEARCH RESULTS The XUNET collaboration includes research in many of the key areas in widearea networking, including switch architectures, LAN interfaces, network operations, managment tools and techniques, and network applications. One

focus of the program has been on congestion control to determine how the network can meet the quality of service needs for different types of traffic even in the presence of heavy load. For example, voice, video and multimedia traffic may require controlled delay and variation in delay, whereas file transfer traffic may not. Research into protocols and the trunk service disciplines used in switching nodes have identified effective ways of carrying many types of traffic in a network while avoiding congestion and degradation of the quality of service. XUNET has already provided valuable insight for AT&T's service realities. And this will continue to be the case as AT&T moves towards its realization of ATM services in 1994. By A.G. Fraser, Erik K. Grimmelmann, Charles R. Kalmanek and Giopala S. Subramanian ----------------------------------------------------------------------------DACS II Goes TEMPEST (AT&T Technology, v.7, no.4) The National Security Agency (NSA) of the US Government has endorsed the TEMPEST version of the AT&T Digital Access and Cross Connect System II (DACS II). The TEMPEST is encased in a special cabinet which shields its electronic output from eavesdropping or monitoring by unauthorized personnel. The NSA endorsement means it will be included on the Endorsed TEMPEST products list. Communications Systems Technology, Inc. (CSTI), based in Columbia, MD, engineers the cabinet under an agreement with AT&T Network Systems, then markets the TEMPEST as a CS-1544 switch. The DACS II is a fast and reliable digital cross-connect system developed by AT&T. Up to 160 standard 1.544 megabits-per-second DSI signals, each consisting of 24 channels (DSOs) may be terminated on the CS-1544. Each of the 24 DSOs comprising a DS1 signal may be cross connected to any other DS1. ----------------------------------------------------------------------------Swat teams on 24-hour call (IEEE Spectrum, August 1992) "We all have wonderful war stories to tell about being roused from sleep," said Barbara Fraser, one of seven members of the Computer Emergency Response Team (CERT). Most computer crackers, like common robbers, prefer to break in during off-hours, she said, and international incidents add to the 24-hour nature of the job. Mostly, however, CERT's business is conducted between 7:30a.m. and 6 p.m. Pittsburgh time. CERT's domain is the Internet, a worldwide supranetwork with perhaps a million host computers and five to eight million users. Roughly half are in the US, and membership is expanding fast in Europe, the Pacific Rim, and South America. Each day, the CERT team responds to an average of 300 hotline calls and email messages most in English. Last year, they averaged about one "incident" a day. Now its up to three. (An incident is an actual of attempted intrusion.) They have responded to serious attacks from Europe ("This is NOT A PRANK"), put out a major US hackers alert that counselled "Caution (not panic) is advisable," and warned against email trojan horses that catch passwords from gullible users. When a call or message comes, the CERT member on duty supplies technical guidance to the site so that they can fix the problem and assess damage. Unless otherwise agreed to, everything is confidential and may even be

anonymous. CERT members determine whether the host was networked, its level of security, the system configuration, and whether the system's vulnerability is familiar or new. CERT director Ed DeHat stresses that any tip is welcome. Last year, for instance, a person reported a failed attempt to seize his password file. CERT went back to the originating site and found intruder(s) "were trying to break into thousands of system." The originating site alerted managment, cut connections to the outside temporarily and closed the "holes" in its security system. CERT does not investigate intrusions with an eye to criminal prosecution, but it does recommend whom to contact for investigations by law enforcement groups such as the local police, the FBI, or the SS. Most of CERT's traffic consists of security chatter; experts call to share information while others ask CERT advisories or request general advice. Less often, CERT has to tip off organizations about likely penetrations. "Almost always, an incident is not stand-alone," said Fraser. It may vary from 10 hosts at a single site to "tens of thousands of hosts over the world." Many people do not wait for a problem by call CERT for a "sanity check" reassurance that their site and its systems are safe. Novices are not discouraged. "We hold their hands," Fraser said. Help is free and is even encouraged. CERT was formed only weeks after the paralysing 1988 attack on Internet by Robert Morris Jr., son of a computer security scientist. It is funded by the Pentagon's Defense Advanced Research Projects Agency through the Software Engineering Institute at Carnegie Mellon University in Pittsburgh. With its expertise in system vulnerabilities, CERT is expanding its efforts in education and training as well as research and development for network security. Already, it sends a security checklist to sites as needed and advises cores of Unix software vendors of security flaws that need patching. It also keeps a confidential mailing list of vendors regarding vulnerabilities in their products. "This is not the textbook type of security problem," DeHart said. "This is based on what people are doing." Such companies as Sun Microsystems and NeXT, and more recently IBM, are mentioned a lot in the CERT advisories, noting fixes to systems flaws. Rather than being an embarrassment or indictment of their products, this shows that these companies are committed to security, DeHart said. CIAC (for Computer Incident Advisory Capability), a sister group of CERT with responsibility for Department of Energy computers, is located at the Lawrence Livermore National Laboratory in Livermore, CA. Known for its software an analytical capabilities, CIAC keeps 20-30 viruses in isolation "for dissection and reverse engineering." Steve Mich, CIAC project leader, said they average perhaps one or two incidents a week, Like CERT, they always wait until a patch is found before they announce the vulnerability. The flaw is described over email as vaguely as possible to thwart would-be-crackers. But sometimes, he said, "it's like trying to describe a hula hoop without moving your hand." Other countries are responding too. In 1990 Germany's information security agency created two national incident response teams: the Virus Test Center at the University of Hamburg and the MicroBIT Virus Center at the University of Karlsruhe.

The Hamburg center has five staffers and many students who analyze viruses and monitor activities of the German hackers known as Chaos Computer Club. The center receives 20-100 reports of virus cases each week from Germany and Scandinavia., divided equally between government, industry and academia. Email links aid coordination with other experts in Australia, Europe, Japan and the US. A current European Community initiative would create serval more CERT-like groups in diverse countries. All told, the US Department of Justice reports there are more than a dozen CERT teams. Not to be left out, its own FBI recently formed the Computer Analysis and Response Team (CART), which will take its place beside other FBI laboratories, like those for analysis of DNA, chemicals and poisons, and shoe and tieprints. Initial plans call for a staff of 12 agents. CART's main task will be the forensic examination of computer evidence, according to manager Stephan McFall. They must also guarantee (somehow) to the satisfaction of US courts that magnetic data has not been altered or deleted since being confiscated. McFall declined to give more details other than to say that research is being done and that CART will also help train agents in the field. There are so many CERT-like groups in government and industry today that in 1990 the Forum of Incident Response and Security Teams (First) was born. The group meets regularly and organizes workshops on incident handling. Even organizations without worm-busting squads can join if approved. - J.A.A. ----------------------------------------------------------------------------Getting Tougher on Long-Distance-Service Thieves (AT&T Technology, v.7, no.4) Theft of phone service is escalating. AT&T's NetPROTECT program helps customers secure their communications systems against remote access, preventing fraud. Picture this. It's 2 a.m. on a soft spring night on Wall Street. The buildings lining the canyons of lower Manhattan are dark and silent; even the cleaning staffs have gone home for the weekend. But inside the offices of Global Conglomerate, Inc. - GlocCon for short it's very, very busy. For several hours GlocCon's PBX has been pressed to keep up with call-processing demand. Thousands of calls to dozens of domestic and international locations have poured out of the company's offices since just past normal closing time. The PBX is so active, in fact, that it offers a constant busy signal to anyone trying to call in. For a Saturday morning at 2 a.m., GloCon is doing a land office business. The problem is that all that business is illegal. GlocCon is being hit by "callsell" operators - big time. Over the weekend alone, the toll-fraud bill is going to be substantial, perhaps even outstripping GloCon's normal monthly phone bill. And, according to the tariffs governing AT&T's services, GlocCon is responsible for picking up the tab. Happily, for customers ant AT&T, such an experience may soon be history. Since August 24, 1992, when tariffs became effective, AT&T has been offering customers the NetPROTECT family of products and services, an integrated offering of hardware and software that helps detect, prevent and correct remote PBX toll fraud.

Such fraud is expensive. Estimates of the financial damage done by hackers and long distance thieves range from less than $1 billion to over $4 billion annually. From AT&T's perspective, the best estimate of industry toll fraud is $1.2 billion annually, a figure issued by the Washington D.C. based Communications Fraud Control Association. But by any estimate, the fraud problem is large and growing. For several years AT&T has offered security seminars aimed at alerting customers to toll fraud, and has been telling them how they an protect themselves against it. AT&T actively works with customers to make certain they understand and use their business telephone system's security features. AT&T also cooperates with law enforcement agencies and customers in resolving ongoing investigations of fraud. And it recently has been the forefront of developing legislation on the state and federal levels that would treat toll fraud as the serious crime that it is. AT&T worked with the New York State legislators to make the theft of long distance service a felony; the law became effective Nov. 1, 1992. The NetPROTECT Service offering includes fraud protection for customer premises-based equipment as well as three levels of network protection. With NetPROTECT Service active seven days a week, around the clock, AT&T's NetPROTECT Service Security organization can look continuously at network calling patterns, especially calls to a changing number of high-fraud countries. These countries usually are involved in drug trafficking and the "country-ofthe-month" changes frequently changes frequently. Fraudulent calls also are made to countries from which there's large legal and illegal emigration to the U.S. A toll switch in the U.S may suddenly start pumping out a large number of one of these countries from a particular CO. If the calls are found to originate from a business, AT& contacts the company, says fraud is suspected, and works with an employee to stop the fraudulent calling from the PBX. NetPROTECT Service is made possible by the Toll Fraud Early Detection System - TFEDS. (See sidebar, next paragraph) TFEDS, a pattern recognition network monitoring tool, was developed by Business Customer Services - BCB (Business Customer Billing) and the Network Services Division. TFEDS enables AT&T's Corporate Security organization to quickly spot and monitor calling patterns that indicate fraud - as it occurs. NetPROTECT Services offers different levels of protection that are tailored to customer needs. Toll Fraud Early Detection System TFEDS provides AT&T's Corporate Security Group with timely and flexible monitoring tools to detect and report remote-access PBX fraud. TFEDS also has access to near-real-time billing data for identifying PBX fraud patterns. In the past; that is, prior to NetPROTECT Service, the limited amount of call monitoring that was done used data that was three days to two weeks old. Now, monitoring reports are generated almost hourly, around the clock, every day. TFEDS processes data for 800 and international services and, based on predefined customized parameters, generates reports to later Corporate Security that a customer's PBX is being hacked, or that there's abnormal international calling from the PBX. Planned TFEDS enhancements include an expert system to improve detection accuracy by allowing NetPROTECT Service Security to maintain generic and customer-specific business rules applicable to PBX fraud. It also will be possible to maintain customer-specific data for long-term statistical analysis and trending, and there will be better tools for fraud case management.

LEVELS OF PROTECTION Basic Service, the first level of protection, is provided to all AT&T businesses long distance customers at no charge. With this service, AT&T monitors its domestic 800 service and international long-distance network around the clock, seven days a week, in an attempt to spot suspicious patterns of network usage indicating fraud. Because more than 90 percent of toll fraud is international traffic to a certain number of high-fraud countries. Basic Service can catch a significant amount of fraud while its's in progress. In early 1992 AT&T received FCC approval to deny hackers access to AT&T's 800-Service network. Using some of its basic monitoring tools, NetPROTECT Security can monitor repeated 800 call attempts made from a particular phone number. In the fictional Wall Street example. high calling volume from GloCon's headquarters to high-fraud countries after normal business hours would be flagged as potential fraud. Under the Basic Service option, AT&T would call a company representative to warn of suspicious traffic from its office, and the person would shut down the PBX. If the representative can't be contacted or takes no action, the customer would continue to bear all liability for whatever fraud occurred. Advanced Service offers a greater degree of protection, requiring AT&T to implement several safeguards that include: o preventing access to the PBX from remote-maintenance ports; o installing security codes on the PBX so people who dial in, using remote access and other advanced features of the PBX, must dial a multidigit security code to dial out; o safeguarding voice-mail systems so callers can't migrate from the system to outgoing direct-dial trunks; and o maintaining backup copies of PBX software so if the PBX is hacked, it can be shut down and brought back up. Customers must also provide a list of phone services and a list of phone numbers they want AT&T to watch, and the names and numbers of three people in the company who can be called anywhere, anytime if there's a problem. In exchange the customer's liability is $25,000 per fraud incident, measured from when the fraud starts until two hours after the customer is notified. [Eds. The original said "after AT&T is notified" but this makes no sense as the customer is the one that must shut off the PBX. And the next sentence deals with AT&T being notified by the customer.] If the customer spots the fraud first then notifies AT&T, the customer's liability is reduced by 50 percent, to a maximum of $12,500. Once fraud is identified, AT&T works with the customer to find the source and shut it down. AT&T's liability, however, stops two hours after the fraud is identified. Premium Service offers still further protection, requiring customers to follow more stringent security guidelines. In exchange, Premium Service customers have no financial liability from the start of fraud to two hours after notification. As with the Advanced Service option, AT&T will assume liability for remote toll fraud for only two hours after the fraud is identified. AT&T also will work with customers to identify and shut down the sources of fraud. NetPROTECT Service guarantees coverage of only remote toll fraud - fraud that occurs when a customer's telecom system has been penetrated from the outside. While our monitoring will catch fraud, customers are still responsible for protecting themselves against unauthorized use of their long-distance service

by their own employees or other inside agents. AT&T Global Business Communications Systems also offers the following products and services, which help secure customer-premises equipment: o AT&T Hacker Tracker - software that's used with AT&T's PBX Call Accounting System for continuous monitoring of all incoming and outgoing calls. This software causes the system to automatically alert security when it detects abnormal activity such as a PBX getting high volumes of incoming 800-number calls after hours, or calls to international destinations. o Security Audit Service - a consulting service provided by security people in AT&T's National Technical Service Center in Denver, and Corporate Security. These people perform individual system audits and recommend security measures. o Fraud Intervention Service - provided by AT&T's National Technical Service Centre. The service helps customers identify and stop fraud while its in progress. It would give step-by-step guidance, for example on securing the PBX and installing the back-up copy of the PBX's software. Also available are several educational offerings and a security handbook. ADDED SAFEGUARDS Since NetPROTECT Service was announced, a number of insurance companies have indicated interest in providing toll-fraud insurance. The Travellers Companies actually have introduced toll-fraud insurance policies that cover business customers, indemnifying them for a loss that has occurred. Further measures also have been taken., Using some of the basic monitoring tools, AT&T NetPROTECT Service security personnel now can monitor repeated 800 call attempts made from a particular telephone number. This is particularly useful because a favourite trick of hackers is to randomly dial 800 numbers to reach a voice-processing system or other automated attendant. If the owner of the 800 number hasn't properly secured the system, a hacker can bypass it and make outgoing calls. Once they penetrate a particular number, hackers often sell it or may post it on electronic bulletin boards for other hackers to use. People who exceed a certain threshold level (which changes hourly or daily) of 800-number attempts in a predetermined time are locked out of AT&T's 800 network. Toll fraud isn't committed just by hackers. It's a big and growing business, often perpetrated by organized crime. Because toll-fraud has generally not been a high priority for law enforcement officials, toll thieves traditionally have not faced heavy penalties even if caught. With little risk and high profits, it's no wonder the toll-fraud business is booming. NetPROTECT Service is an aggressive program to fight back. Standing squarely with its customers, AT&T believes it can put an end to the theft of long distance service. By James R. McFarland ----------------------------------------------------------------------------Coming Soon in Future LOD Technical Journals: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% * An Introduction to starting and operating your own pirate radio station. * An Update of The Mentor's famous Introduction to Hacking. With new defaults, new systems and tricks of the trade!

* Bit Stream on Carding Today * And MUCH, MUCH more! Remember, the more files submitted the quicker these journals can roll out. If you'd like to offer anything to the LOD, contact us today. -----------------------------------------------------------------------------